From 166863bcc4a315442f1d49a2d61ecbec8de5d6cd Mon Sep 17 00:00:00 2001 From: Jorge Aparicio Date: Tue, 5 Mar 2024 14:10:20 +0100 Subject: [PATCH] allow enabling Extended DNS Errors (EDE) --- packages/dns-test/src/implementation.rs | 24 +++++++++++++++++-- packages/dns-test/src/resolver.rs | 10 ++++++++ .../dns-test/src/templates/unbound.conf.jinja | 1 + 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/packages/dns-test/src/implementation.rs b/packages/dns-test/src/implementation.rs index 256ad247..1ec81e15 100644 --- a/packages/dns-test/src/implementation.rs +++ b/packages/dns-test/src/implementation.rs @@ -8,8 +8,15 @@ use crate::FQDN; #[derive(Clone, Copy)] pub enum Config<'a> { - NameServer { origin: &'a FQDN }, - Resolver { use_dnssec: bool, netmask: &'a str }, + NameServer { + origin: &'a FQDN, + }, + Resolver { + use_dnssec: bool, + netmask: &'a str, + /// Extended DNS error (RFC8914) + ede: bool, + }, } impl Config<'_> { @@ -42,6 +49,14 @@ pub enum Implementation { } impl Implementation { + pub fn supports_ede(&self) -> bool { + match self { + Implementation::Bind => false, + Implementation::Hickory(_) => true, + Implementation::Unbound => true, + } + } + #[must_use] pub fn is_bind(&self) -> bool { matches!(self, Self::Bind) @@ -52,8 +67,11 @@ impl Implementation { Config::Resolver { use_dnssec, netmask, + ede, } => match self { Self::Bind => { + assert!(!ede, "the BIND resolver does not support EDE (RFC8914)"); + minijinja::render!( include_str!("templates/named.resolver.conf.jinja"), use_dnssec => use_dnssec, @@ -62,6 +80,7 @@ impl Implementation { } Self::Hickory(_) => { + // TODO enable EDE in Hickory when supported minijinja::render!( include_str!("templates/hickory.resolver.toml.jinja"), use_dnssec => use_dnssec, @@ -73,6 +92,7 @@ impl Implementation { include_str!("templates/unbound.conf.jinja"), use_dnssec => use_dnssec, netmask => netmask, + ede => ede, ) } }, diff --git a/packages/dns-test/src/resolver.rs b/packages/dns-test/src/resolver.rs index 93d17f3a..4a5ddf43 100644 --- a/packages/dns-test/src/resolver.rs +++ b/packages/dns-test/src/resolver.rs @@ -19,6 +19,7 @@ impl Resolver { #[allow(clippy::new_ret_no_self)] pub fn new(network: &Network, root: Root) -> ResolverSettings { ResolverSettings { + ede: false, network: network.clone(), roots: vec![root], trust_anchor: TrustAnchor::empty(), @@ -60,6 +61,8 @@ kill -TERM $(cat {pidfile})" } pub struct ResolverSettings { + /// Extended DNS Errors (RFC8914) + ede: bool, network: Network, roots: Vec, trust_anchor: TrustAnchor, @@ -84,6 +87,7 @@ impl ResolverSettings { let config = Config::Resolver { use_dnssec, netmask: self.network.netmask(), + ede: self.ede, }; container.cp( implementation.conf_file_path(config.role()), @@ -115,6 +119,12 @@ impl ResolverSettings { }) } + /// Enables the Extended DNS Errors (RFC8914) feature + pub fn extended_dns_errors(&mut self) -> &mut Self { + self.ede = true; + self + } + /// Adds a root hint pub fn root(&mut self, root: Root) -> &mut Self { self.roots.push(root); diff --git a/packages/dns-test/src/templates/unbound.conf.jinja b/packages/dns-test/src/templates/unbound.conf.jinja index 212078aa..13eeb758 100644 --- a/packages/dns-test/src/templates/unbound.conf.jinja +++ b/packages/dns-test/src/templates/unbound.conf.jinja @@ -5,6 +5,7 @@ server: access-control: {{ netmask }} allow root-hints: /etc/root.hints pidfile: /tmp/unbound.pid + ede: {% if ede %} yes {% else %} no {% endif %} {% if use_dnssec %} trust-anchor-file: /etc/trusted-key.key {% endif %}