Comments (6)
For what it's worth, DNS has this reserved the .test. TLD for testing use cases, which can be better to use as it ensures that no requests ever go to the internet for the TLD.
this sounded like a good idea but unbound
seems to be hard-coded to answer queries of the form A sub.domain.test.
with
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22272
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;primary0.nameservers.test. IN A
;; AUTHORITY SECTION:
test. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
which breaks existing conformance tests in dns-tests when I try to move from com.
domains to test.
. RFC6761 lets caching DNS servers special-case queries about test.
domains, namely:
Caching DNS servers SHOULD recognize test names as special and SHOULD NOT, by default, attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve test names. Instead, caching DNS servers SHOULD, by default, generate immediate negative responses for all such queries.
Maybe I can use dns-test.
as the TLD in the conformance tests 🤔 I don't think it'll ever be a real TLD 🤞
from hickory-dns.
Got it. For what it's worth, DNS has this reserved the .test.
TLD for testing use cases, which can be better to use as it ensures that no requests ever go to the internet for the TLD. It might (depends on what is being tested I guess) a good idea to generally use that.
from hickory-dns.
There's an interesting case where it's NXDOMAIN if there are no other records at that name, but if there are any, then it's supposed to be NOERROR and no record to indicate other records besides the one queried do exist at that name.
using CLI resolver from our library, I'm getting an A record at that name:
> resolve doesnotexist.nameservers.com
Querying for doesnotexist.nameservers.com A from udp:8.8.8.8:53, tcp:8.8.8.8:53, udp:8.8.4.4:53, tcp:8.8.4.4:53, udp:[2001:4860:4860::8888]:53, tcp:[2001:4860:4860::8888]:53, udp:[2001:4860:4860::8844]:53, tcp:[2001:4860:4860::8844]:53
Success for query doesnotexist.nameservers.com IN A
doesnotexist.nameservers.com. 7200 IN A 208.91.197.132
Maybe this was changed after your test?
from hickory-dns.
using CLI resolver from our library, I'm getting an A record at that name:
that's because that CLI resolver has internet access and access to the public DNS network. I guess something similar if I run dig @1.1.1.1 A doesnotexist.nameservers.com
(note the public DNS resolver 1.1.1.1
)
In contrast to that, all the nodes in the test are in a private, local network with no internet access so they never contact root servers like a.root-servers.net
. the name servers in the tests do not contain a doesnotexist.nameservers.com
A record; nor wildcard records that would match the A doesnotexist.nameservers.com
query
from hickory-dns.
rereading this, it does look like this should be an NXDOMAIN. I have been wanting to setup some test cases in the hickory repo itself for tests like this so that we can more easily guarantee behavior. I'm trying to figure out why we would end up with a NOERROR in this case, definitely seems like it should be NXDOMAIN. It looks like there's a bit of a recursive set of references here... I wonder if that got triggered by looping? I'd have to recreate this test case.
from hickory-dns.
yeah, I was just calling it out as a concern. I'm not sure how I handle .test
in hickory at the moment. It's probably not worth changing it.
from hickory-dns.
Related Issues (20)
- Bind address in ResolverConfig does not take effort for AsyncResolver HOT 10
- `hickory-dns` resolver does not honor the DO bit in client's queries HOT 2
- [RFC] DNSSEC validation: configuration syntax HOT 10
- [RFC] re-structure `named.toml` syntax to reject invalid configurations HOT 3
- TCP fallback is not always used and forcing it is not ergonomic HOT 3
- 0.25 Release HOT 10
- Static build support (openssl + cross-compile) HOT 6
- `DnssecDnsHandle` does not appear to validate RRSIG's signature {inception,expiration} fields HOT 1
- malformed query can cause assertion failure at encoder.rs:234 HOT 1
- should `proto::rr::resource::Record.rdata` really be an `Option`? HOT 6
- `just clippy` does not catch warnings produced by `just dnssec-openssl` HOT 5
- DNS Resolver rotate feature HOT 5
- [Featture] Expose Path Parameter for DoH Client HOT 1
- Allow passing in a custom client UDP socket to send data from HOT 5
- `just no-default-features` fails with an ICE using latest nightly HOT 1
- Default dns timeout of 5 seconds is excessive (causes 40s of time being wasted in mongodb) HOT 5
- hickory-resolver retries NXDOMAINs over TCP if using `try_tcp_on_error` HOT 4
- tag/publish a 0.25 pre-release? HOT 2
- What is the reason for NextRandomUdpSocket? HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hickory-dns.