Opened 3 years ago

Last modified 3 years ago

#5450 enhancement new

Update twisted.names to be a security-aware non-validating client

Reported by: BobNovas Owned by:
Priority: normal Milestone:
Component: names Keywords: DNSSEC, twisted.names, security aware, EDNS0
Cc: Branch:
Author: Bob Novas Launchpad Bug:

Description

Application of this patch to Twisted-11.1.0 updates twisted.names to be EDNS0 capable and security-aware. The client supports all DNSSEC record types and allows operation of the client Resolver as a security-aware non-validating stub resolver. Coupled with a local validating resolver, such as that provided by dnssec-trigger (http://nlnetlabs.nl/projects/dnssec-trigger/) or used with a Comcast validating resolver, this allows a Python client to request EDNS operation, specify DNSSEC OK, request DNS validation, obtain the AD bit in a DNS response, obtain DNSKEY, RRSIG, NSEC, DS and NSEC3 and validate DNS name resolution.

This update also serves as the basis for further DNSSEC upgrades to twisted. The intention is to minimally add a validation to the stub resolver client, and perhaps to upgrade the server.

Attachments (2)

dnssec-security-aware-nonvalidating-client.patch (61.7 KB) - added by BobNovas 3 years ago.
dnssec security aware patch to twisted.names
dnssec-security-aware-nonvalidating-client-v2.patch (65.6 KB) - added by BobNovas 3 years ago.
replaces previous patch in its entirety.

Download all attachments as: .zip

Change History (6)

Changed 3 years ago by BobNovas

dnssec security aware patch to twisted.names

comment:1 Changed 3 years ago by BobNovas

  • Keywords review added

Changed 3 years ago by BobNovas

replaces previous patch in its entirety.

comment:2 Changed 3 years ago by BobNovas

Attached an updated patch ("...v2") that adds a DNSSEC record type that I missed in the original patch(the NSEC3PARAM record type) along with tests. This patch also updates the server to read a bind format file (e.g., --bindzone=f), including the DNSSEC record types. Had to fix the parser as it was not correct. Also fixed the lookup to allow for trailing dot's in a zone name, as that's how they can be stored.

comment:3 Changed 3 years ago by exarkun

Heya Bob. This is pretty exciting. I wonder if you'd be at all interested in splitting the patch into a few smaller pieces to make it easier to review. eg, a ticket for adding the DNSSEC-related record types by themselves without behavior would be fine. Another one adding EDNS0 would be cool. etc. I'm leaving the review keyword on the ticket, in case this sounds like too much work to you, or in case someone else who wants to tackle this whole thing at once comes along, but if splitting up the work sounds okay to you, feel free to remove the review keyword yourself and file the extra tickets.

Regardless, thanks for your efforts here!

comment:4 Changed 3 years ago by BobNovas

  • Keywords review removed

Split into several tickets.

Note: See TracTickets for help on using tickets.