Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: allow turning off across-domain resolving #14604

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

auth: allow turning off across-domain resolving #14604

wants to merge 2 commits into from
+26 −2

Conversation

zeha
Copy link
Collaborator

@zeha zeha commented Aug 28, 2024
edited
Loading

Short description

Addresses #10017. Introduces new setting resolve-across-domains. Default is the unchanged behaviour.

Turning off the new setting causes CNAME targets to not be followed across (local) domains. Also, queries that could be answered by following a local delegations are similarly not resolved.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@zeha
Copy link
Collaborator Author

zeha commented Aug 28, 2024

Ideas on how to add regression-tests welcome.

@coveralls
Copy link

coveralls commented Aug 28, 2024
edited
Loading

Pull Request Test Coverage Report for Build 10598055899

Details

  • 5 of 7 (71.43%) changed or added relevant lines in 2 files are covered.
  • 4474 unchanged lines in 114 files lost coverage.
  • Overall coverage increased (+0.05%) to 64.706%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/packethandler.cc 4 6 66.67%
Files with Coverage Reduction New Missed Lines %
pdns/dnsdistdist/test-dnsdisttcp_cc.cc 1 95.01%
pdns/validate.cc 1 68.8%
pdns/recursordist/recursor_cache.cc 1 86.11%
pdns/epollmplexer.cc 2 83.75%
pdns/libssl.hh 2 0.0%
ext/yahttp/yahttp/utility.hpp 2 36.69%
pdns/burtle.hh 2 98.16%
pdns/dnsdistdist/dnsdist-lua-bindings-kvs.cc 2 26.0%
pdns/dnsdistdist/dnsdist-lua-bindings-dnsquestion.cc 2 36.0%
pdns/dnsdistdist/dnscrypt.hh 2 33.33%
Totals Coverage Status
Change from base Build 10594475038: 0.05%
Covered Lines: 124680
Relevant Lines: 162071
💛 - Coveralls

@zeha zeha force-pushed the zeha-10017-cname-follow-config branch from 033c2a4 to 67cb459 Compare August 28, 2024 13:49
@Habbie Habbie self-requested a review September 3, 2024 12:12
Habbie
Habbie reviewed Sep 5, 2024
View reviewed changes
Copy link
Member

@Habbie Habbie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about SVCB?

docs/settings.rst Outdated
If this is enabled, CNAME records and other referrals will be resolved as long as their targets exist in any local backend.
Can be disabled to allow for different authorities managing zones in the same server instance.

Regardless of this setting, external targets are never resolved.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope this line won't confuse ALIAS users

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should list all "other referrals" to be clear.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to re-read my own line 5 times now to understand what I meant. Hard to come up with something descriptive though.

Maybe just:

Referrals not available in local backends are never resolved.
SVCB referrals are never resolved across domains.
ALIAS is not impacted by this setting.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/domains/zones/, love it otherwise

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

love it otherwise

done

s/domains/zones/

should I also do that to the setting name? various other settings use "domain" though

@Habbie Habbie added this to the auth-5 milestone Sep 5, 2024
@klaus-nicat
Copy link
Contributor

what about SVCB?

Is there currently some code in PDNS to follow SVCB? SVCB ist quite different as the client application needs to perform the resolving. But IMO PDNS should not provide hints out of bailiwik, regardless if CNAME, DNAME, SVCB/HTTPS, NS ....

@zeha
Copy link
Collaborator Author

zeha commented Sep 23, 2024

what about SVCB?

SVCB was taken care of by #10521

@Habbie Habbie self-requested a review September 23, 2024 11:45
@zeha
auth: allow turning off across-domain resolving
c2a8062 
Default is unchanged. Turning off the new setting causes CNAME targets
to not be followed across (local) domains. Also, queries that could be
answered by following a local delegations are similarly not resolved.
@zeha
auth: ignore doQuestion for clang-tidy for now
308ca1e
@zeha zeha force-pushed the zeha-10017-cname-follow-config branch from 67cb459 to 308ca1e Compare September 23, 2024 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Habbie Habbie Awaiting requested review from Habbie

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
auth enhancement
Projects
None yet
Milestone
auth-5
Development

Successfully merging this pull request may close these issues.
4 participants
@zeha @coveralls @klaus-nicat @Habbie