Ticket #5454 enhancement new
Add EDNS0 and DNSSEC behavior
|Reported by:||BobNovas||Owned by:|
|Author:||Bob Novas||Launchpad Bug:|
Description (last modified by thijs) (diff)
This patch, applied to twisted 11.1.0 in addition to but AFTER the patch in #5453, will add EDNS0 and DNSSEC behavior. EDNS0 behavior includes the ability to specify EDNS0 version (currently only version 0 is defined), the ability to set the DNSSEC OK flag which requests a security aware resolver to respond with DNSSEC records, and the ability to specify a maximum UDP Packet length that the path between this stub resolver and the recursive resolver can handle. This value can be as large as 65535, though smaller values, such as 1492 for WAN or 4096 for LAN or 8192 for local (e.g., 127.0.0.1) are more relevant. DNSSEC behavior includes the ability to receive and decode all the DNSSEC record types, and the ability to decode the AD (Authentic Data) flag. This means that with this patch, twisted.names client resolver can function as a security-aware non-validating stub resolver. In conjunction with a validating recursive resolver such as provided locally (e.g., 127.0.0.1) by dnssec-trigger ( http://nlnetlabs.nl/projects/dnssec-trigger/) or by any comcast resolver, this allows a python client to determine if a name is secure.