Opened 10 years ago

Last modified 8 years ago

#5454 enhancement new

— at Add EDNS0 and DNSSEC behaviorInitial Version

Reported by: Bob Novas Owned by:
Priority: normal Milestone:
Component: names Keywords:
Cc: Thijs Triemstra Branch:
Author: Bob Novas

Description

This patch, applied to twisted 11.1.0 in addition to but AFTER the patch in 5453, will add EDNS0 and DNSSEC behavior. EDNS0 behavior includes the ability to specify EDNS0 version (currently only version 0 is defined), the ability to set the DNSSEC OK flag which requests a security aware resolver to respond with DNSSEC records, and the ability to specify a maximum UDP Packet length that the path between this stub resolver and the recursive resolver can handle. This value can be as large as 65535, though smaller values, such as 1492 for WAN or 4096 for LAN or 8192 for local (e.g., 127.0.0.1) are more relevant. DNSSEC behavior includes the ability to receive and decode all the DNSSEC record types, and the ability to decode the AD (Authentic Data) flag. This means that with this patch, twisted.names client resolver can function as a security-aware non-validating stub resolver. In conjunction with a validating recursive resolver such as provided locally (e.g., 127.0.0.1) by dnssec-trigger (http://nlnetlabs.nl/projects/dnssec-trigger/) or by any comcast resolver, this allows a python client to determine if a name is secure.

Change History (1)

Changed 10 years ago by Bob Novas

adds EDNS0 and DNSSEC behavior to twisted (requires 5453)

Note: See TracTickets for help on using tickets.