I decided to add #DoQ support to my check_soa script (because it's easy to add as #dnspython supports it pretty much out of the box) so I'm looking for #DNS zones using authoritative nameservers accessible with DoQ. Does anyone knows any?
I know a few recursive servers using #QUIC but I haven't found authoritative servers yet :/
(I'd love to have some myself (my NS can be already be queried using #DoT) but I use #NSD (which has no QUIC support yet) and Debian so...)
Oops, the recently released #dnspython 2.6.0 added support for the EDNS NSID option, thus breaking my check_soa scripts. Need to add temporary dnspython version check
(And I should move these scripts in a proper repo)
Grumph, une erreur dans la doc de #dnspython :
Le 'target' ici n'est pas un dns.name.Name, mais un bête tas d'octets (bytes donc)
https://dnspython.readthedocs.io/en/stable/rdata-subclasses.html#dns.rdtypes.ANY.URI.URI
Another curious #musl libc issue: `getaddrinfo()` fills `.ai_canonname` even if `AI_CANONNAME` is not passed in `flags`. Apparently not a big deal, except that it breaks the tests of #DNSPython when present unexpectedly. Technically, it may also not comply to #POSIX, though I'm not sure.
https://www.openwall.com/lists/musl/2024/01/27/5
https://github.com/rthalley/dnspython/issues/1035
https://bugs.gentoo.org/923004
Kolejny ciekawy problem z #musl libc: `getaddrinfo()` wypełnia pole `.ai_canonname`, nawet jeśli `flags` nie zawiera `AI_CANONNAME`. Niby to nic wielkiego, ale wystarcza, żeby popsuć testy #DNSPython. Technicznie rzecz biorąc, może to być też niezgodne z #POSIX, ale nie mam pewności.
https://www.openwall.com/lists/musl/2024/01/27/5
https://github.com/rthalley/dnspython/issues/1035
https://bugs.gentoo.org/923004
#dnspython 2.5 released
Among the changes, still no options to generate #NSEC3 signatures when using the zone signing function, but it seems it's coming : "[t]he NSEC3 class now has a next_name() method for retrieving the next name as a dns.name.Name"
https://dnspython.readthedocs.io/en/stable/whatsnew.html#id1
With #dnspython 2.4.0+, @DNSresolver can be configured to use a DoH resolver without changes in the current code.
DoQ and DoT requires minimal changes
🤔
De l'intérêt de RTFM : il y a une fonction dans le module resolver de #dnspython pour récupérer le A et AAAA d'un nom d'un coup. Ce qui ne diminue bien sûr pas le nombre de requêtes à faire mais allège le code quand on cherche les deux
Je m'ennuie au taf, donc je regarde comment faire de la validation #DNSSEC avec #dnspython. Et peut-être implémenter la chose dans mon check_soa 🤔
Just added EDNS(0) Padding when using #DNS over #TLS in my check_soa scripts 🥰
(Thanks once again to the great #dnspython toolkit ❤)
So in my check_soa_multi script (multi-process check_soa using multiprocessing.Pool) is broken when using #dnspython 2.4.0+, if I set payload to whatever value but 0, it crashes the starmap func I use in the Pool 🤔 #Python
Knowing that payload is either an int or None (None doesn't work)
Any #dnspython devs out there?
Found a minor bug and I do not have a Github account or a Google account (to write to the mailing lists)
Thanks to #dnspython, I have a tool to easily “deduplicate” my adblock list. I remove any domain for which the parent zone is present in the list (eg. if there is ads.example.com and tracker.ads.example.com, the latter will be removed. I use my adblock list such as if a domain is blocked, the whole subtree is blocked)
The list is divided by 2: from 186950 to 98610 domain.
The deduplication is quite CPU intensive though
RFC 4034, Appendix B:
“The key tag is the same for all DNSKEY algorithm types except algorithm 1 [...]. The key tag algorithm is the sum of the wire format of the DNSKEY RDATA broken into 2 octet groups. First, the RDATA (in wire format) is treated as a series of 2 octet groups. These groups are then added together, ignoring any carry bits.”
Ok #DNSSEC, you win. I will rely on #dnspython function to find a key tag and will not try to implement that myself ^^'
Trying to test #dnspython 2.3.0 #DNSSEC signing function
Private keys need to be a cryptography.hazmat.primitives.asymmetric private key class
Have not find a way, if any, to import in that format my ldns-genereated private key
Cryptography doc states:
"This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns."
Don't want to mess with that!
Et... #dnspython 2.3.0 arrive aussi dans Debian Testing \o/
