Opened 5 years ago
Last modified 5 years ago
#5450 enhancement new
Update twisted.names to be a security-aware non-validating client
| Reported by: | Bob Novas | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | names | Keywords: | DNSSEC, twisted.names, security aware, EDNS0 |
| Cc: | Branch: | ||
| Author: | Bob Novas |
Description
Application of this patch to Twisted-11.1.0 updates twisted.names to be EDNS0 capable and security-aware. The client supports all DNSSEC record types and allows operation of the client Resolver as a security-aware non-validating stub resolver. Coupled with a local validating resolver, such as that provided by dnssec-trigger (http://nlnetlabs.nl/projects/dnssec-trigger/) or used with a Comcast validating resolver, this allows a Python client to request EDNS operation, specify DNSSEC OK, request DNS validation, obtain the AD bit in a DNS response, obtain DNSKEY, RRSIG, NSEC, DS and NSEC3 and validate DNS name resolution.
This update also serves as the basis for further DNSSEC upgrades to twisted. The intention is to minimally add a validation to the stub resolver client, and perhaps to upgrade the server.
Attachments (2)
Change History (6)
Changed 5 years ago by
| Attachment: | dnssec-security-aware-nonvalidating-client.patch added |
|---|
comment:1 Changed 5 years ago by
| Keywords: | review added |
|---|
Changed 5 years ago by
| Attachment: | dnssec-security-aware-nonvalidating-client-v2.patch added |
|---|
replaces previous patch in its entirety.
comment:2 Changed 5 years ago by
Attached an updated patch ("...v2") that adds a DNSSEC record type that I missed in the original patch(the NSEC3PARAM record type) along with tests. This patch also updates the server to read a bind format file (e.g., --bindzone=f), including the DNSSEC record types. Had to fix the parser as it was not correct. Also fixed the lookup to allow for trailing dot's in a zone name, as that's how they can be stored.
comment:3 Changed 5 years ago by
Heya Bob. This is pretty exciting. I wonder if you'd be at all interested in splitting the patch into a few smaller pieces to make it easier to review. eg, a ticket for adding the DNSSEC-related record types by themselves without behavior would be fine. Another one adding EDNS0 would be cool. etc. I'm leaving the review keyword on the ticket, in case this sounds like too much work to you, or in case someone else who wants to tackle this whole thing at once comes along, but if splitting up the work sounds okay to you, feel free to remove the review keyword yourself and file the extra tickets.
Regardless, thanks for your efforts here!
dnssec security aware patch to twisted.names