allow enabling Extended DNS Errors (EDE)

2024-03-05 14:10:20 +01:00 · 2024-03-05 14:10:20 +01:00 · 166863bcc4
commit 166863bcc4
parent 75de211a06
3 changed files with 33 additions and 2 deletions
--- a/packages/dns-test/src/implementation.rs
+++ b/packages/dns-test/src/implementation.rs
@ -8,8 +8,15 @@ use crate::FQDN;

 #[derive(Clone, Copy)]
 pub enum Config<'a> {
-    NameServer { origin: &'a FQDN },
-    Resolver { use_dnssec: bool, netmask: &'a str },
+    NameServer {
+        origin: &'a FQDN,
+    },
+    Resolver {
+        use_dnssec: bool,
+        netmask: &'a str,
+        /// Extended DNS error (RFC8914)
+        ede: bool,
+    },
 }

 impl Config<'_> {
@ -42,6 +49,14 @@ pub enum Implementation {
 }

 impl Implementation {
+    pub fn supports_ede(&self) -> bool {
+        match self {
+            Implementation::Bind => false,
+            Implementation::Hickory(_) => true,
+            Implementation::Unbound => true,
+        }
+    }
+
    #[must_use]
    pub fn is_bind(&self) -> bool {
        matches!(self, Self::Bind)
@ -52,8 +67,11 @@ impl Implementation {
            Config::Resolver {
                use_dnssec,
                netmask,
+                ede,
            } => match self {
                Self::Bind => {
+                    assert!(!ede, "the BIND resolver does not support EDE (RFC8914)");
+
                    minijinja::render!(
                        include_str!("templates/named.resolver.conf.jinja"),
                        use_dnssec => use_dnssec,
@ -62,6 +80,7 @@ impl Implementation {
                }

                Self::Hickory(_) => {
+                    // TODO enable EDE in Hickory when supported
                    minijinja::render!(
                        include_str!("templates/hickory.resolver.toml.jinja"),
                        use_dnssec => use_dnssec,
@ -73,6 +92,7 @@ impl Implementation {
                        include_str!("templates/unbound.conf.jinja"),
                        use_dnssec => use_dnssec,
                        netmask => netmask,
+                        ede => ede,
                    )
                }
            },
--- a/packages/dns-test/src/resolver.rs
+++ b/packages/dns-test/src/resolver.rs
@ -19,6 +19,7 @@ impl Resolver {
    #[allow(clippy::new_ret_no_self)]
    pub fn new(network: &Network, root: Root) -> ResolverSettings {
        ResolverSettings {
+            ede: false,
            network: network.clone(),
            roots: vec![root],
            trust_anchor: TrustAnchor::empty(),
@ -60,6 +61,8 @@ kill -TERM $(cat {pidfile})"
 }

 pub struct ResolverSettings {
+    /// Extended DNS Errors (RFC8914)
+    ede: bool,
    network: Network,
    roots: Vec<Root>,
    trust_anchor: TrustAnchor,
@ -84,6 +87,7 @@ impl ResolverSettings {
        let config = Config::Resolver {
            use_dnssec,
            netmask: self.network.netmask(),
+            ede: self.ede,
        };
        container.cp(
            implementation.conf_file_path(config.role()),
@ -115,6 +119,12 @@ impl ResolverSettings {
        })
    }

+    /// Enables the Extended DNS Errors (RFC8914) feature
+    pub fn extended_dns_errors(&mut self) -> &mut Self {
+        self.ede = true;
+        self
+    }
+
    /// Adds a root hint
    pub fn root(&mut self, root: Root) -> &mut Self {
        self.roots.push(root);
--- a/packages/dns-test/src/templates/unbound.conf.jinja
+++ b/packages/dns-test/src/templates/unbound.conf.jinja
@ -5,6 +5,7 @@ server:
    access-control: {{ netmask }} allow
    root-hints: /etc/root.hints
    pidfile: /tmp/unbound.pid
+    ede: {% if ede %} yes {% else %} no {% endif %}
 {% if use_dnssec %}
    trust-anchor-file: /etc/trusted-key.key
 {% endif %}