From 5efcd6ed70ead206a17244e4a505d7a340077cdb Mon Sep 17 00:00:00 2001 From: John Bond Date: Wed, 22 Nov 2023 11:35:22 +0100 Subject: [PATCH 1/8] IPv6: update to_s method to be RFC5952 compliant (#25) * IPv6: update to_s method to be RFC5952 compliant I noticed that the resolv library does not honour RFC 5952 Section 4.2.2. in relation to textural representation of ipv6 addresses: The symbol "::" MUST NOT be used to shorten just one 16-bit 0 field. For example, the representation 2001:db8:0:1:1:1:1:1 is correct, but 2001:db8::1:1:1:1:1 is not correct. Fixes #24 Co-authored-by: Sorah Fukumori --- lib/resolv.rb | 6 +----- test/resolv/test_dns.rb | 3 ++- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index 47c4ef6..0db6cc5 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -2560,11 +2560,7 @@ def initialize(address) # :nodoc: attr_reader :address def to_s # :nodoc: - address = sprintf("%x:%x:%x:%x:%x:%x:%x:%x", *@address.unpack("nnnnnnnn")) - unless address.sub!(/(^|:)0(:0)+(:|$)/, '::') - address.sub!(/(^|:)0(:|$)/, '::') - end - return address + sprintf("%x:%x:%x:%x:%x:%x:%x:%x", *@address.unpack("nnnnnnnn")).sub(/(^|:)0(:0)+(:|$)/, '::') end def inspect # :nodoc: diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb index 9d243bb..d9db840 100644 --- a/test/resolv/test_dns.rb +++ b/test/resolv/test_dns.rb @@ -374,7 +374,8 @@ def test_ipv6_to_s ["2001:db8::1", "2001:db8::0:1"], ["::", "0:0:0:0:0:0:0:0"], ["2001::", "2001::0"], - ["2001:db8::1:1:1:1:1", "2001:db8:0:1:1:1:1:1"], + ["2001:db8:0:1:1:1:1:1", "2001:db8:0:1:1:1:1:1"], # RFC 5952 Section 4.2.2. + ["2001:db8::1:1:1:1", "2001:db8:0:0:1:1:1:1"], ["1::1:0:0:0:1", "1:0:0:1:0:0:0:1"], ["1::1:0:0:1", "1:0:0:0:1:0:0:1"], ] From b3ced7f0392da5897aac4f9b198bf9aa4d432735 Mon Sep 17 00:00:00 2001 From: Kasumi Hanazuki Date: Fri, 24 Nov 2023 10:35:26 +0900 Subject: [PATCH 2/8] Implement SVCB and HTTPS RRs (#32) * Add MessageDecoder#get_list This method repeats yielding until all the data upto the current limit is consumed, and then returns an Array containig the block results. * Implement SVCB and HTTPS RRs [RFC 9460] > This patch implements SVCB and HTTPS resource record types defined in > [RFC 9460]. > > The RR types are now supported by many server implementations including > BIND, unbound, PowerDNS, and Knot DNS. Major browsers such as Chrome, > Edge, and Safari have started to query HTTPS records, with the records > gradually adopted by websites. Also, SVCB is actually deployed in the > public DNS resolvers such as Cloudflare DNS and Google Public DNS for > [DDR]. > > With such wide adoption, we have plenty of real-world use cases, and > it is unlikely the wire format will change further in an incompatible > way. It is time to implement them in the client libraries! > > # Rationale for proposed API > > ## `Resolv::DNS::Resource::IN::ServiceBinding` > > This is an abstract class for SVCB-compatible RR types. > SVCB-compatible RR types, as defined in the Draft, shares the wire > format and the semantics of their RDATA fields with SVCB to allow > implementations to share the processing of these RR types. So we do > so. > > The interface of this class is straightforward: It has three > attributes `priority`, `target`, and `params`, which correspond the > RDATA fields SvcPriority, TargetName, and SvcParams, resp. > > SVCB RR type is defined specifically within IN class. Thus, this > class is placed in the `Resolv::DNS::Resource::IN` namespace. > > ## `Resolv::DNS::Resource::IN::SVCB`, `Resolv::DNS::Resource::IN::HTTPS` > > Just inherits ServiceBinding class. > > ## `Resolv::DNS::SvcParam` > > This class represents a pair of a SvcParamKey and a SvcParamValue. > Aligned with the design of `Resolv::DNS::Resource`, each SvcParamKey > has its own subclass of `Resolv::DNS::SvcParam`. > > ## `Resolv::DNS::SvcParam::Generic` > > This is an abstract class representing a SvcParamKey that is unknown > to this library. `Generic.create(key)` dynamically defines its > subclass for specific `key`. E.g., `Generic.create(667)` will define > `Generic::Key667`. > > This class holds SvcParamValue in its wire format. > > SvcParam with an unknown SvcParamKey will be decoded as a subclass of > this class. Also, users of this library can generate a non-supported > SvcParam if they know its wire format. > > ## `Resolv::DNS::SvcParams` > > This is conceptually a set of `SvcParam`s, whose elements have the > unique SvcParamKeys. It behaves like a set, and for convenience > provides indexing by SvcParamKey. > > - `#initialize(params)` takes an Enumerable of `SvcParam`s as the > initial content. If it contains `SvcParam`s with the duplicate key, > the one that appears last takes precedence. > - `#[](key)` fetches the `SvcParam` with the given key. The key can be > specified by its name (e.g., `:alpn`) or number (e.g., `1`). > - `#add(param)` adds a `SvcParam` to the set. If the set already has a > `SvcParam` with the same key, it will be replaced. > - `#delete(key)` deletes a `SvcParam` by its key and returns it. The key > can be specified by its name or number. * Update comments referring to draft-ietf-dnsop-svcb-https-12 Published as RFC 9460. https://datatracker.ietf.org/doc/rfc9460/ [draft-ietf-dnsop-svcb-https-12]: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/12/ [RFC 9460]: https://datatracker.ietf.org/doc/rfc9460/ [DDR]: https://datatracker.ietf.org/doc/draft-ietf-add-ddr/ --- lib/resolv.rb | 429 +++++++++++++++++++++++++++++++++ test/resolv/test_svcb_https.rb | 204 ++++++++++++++++ 2 files changed, 633 insertions(+) create mode 100644 test/resolv/test_svcb_https.rb diff --git a/lib/resolv.rb b/lib/resolv.rb index 0db6cc5..6fe9822 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -1618,6 +1618,14 @@ def get_string_list strings end + def get_list + [].tap do |values| + while @index < @limit + values << yield + end + end + end + def get_name return Name.new(self.get_labels) end @@ -1678,6 +1686,349 @@ def get_rr end end + ## + # SvcParams for service binding RRs. [RFC9460] + + class SvcParams + include Enumerable + + ## + # Create a list of SvcParams with the given initial content. + # + # +params+ has to be an enumerable of +SvcParam+s. + # If its content has +SvcParam+s with the duplicate key, + # the one appears last takes precedence. + + def initialize(params = []) + @params = {} + + params.each do |param| + add param + end + end + + ## + # Get SvcParam for the given +key+ in this list. + + def [](key) + @params[canonical_key(key)] + end + + ## + # Get the number of SvcParams in this list. + + def count + @params.count + end + + ## + # Get whether this list is empty. + + def empty? + @params.empty? + end + + ## + # Add the SvcParam +param+ to this list, overwriting the existing one with the same key. + + def add(param) + @params[param.class.key_number] = param + end + + ## + # Remove the +SvcParam+ with the given +key+ and return it. + + def delete(key) + @params.delete(canonical_key(key)) + end + + ## + # Enumerate the +SvcParam+s in this list. + + def each(&block) + return enum_for(:each) unless block + @params.each_value(&block) + end + + def encode(msg) # :nodoc: + @params.keys.sort.each do |key| + msg.put_pack('n', key) + msg.put_length16 do + @params.fetch(key).encode(msg) + end + end + end + + def self.decode(msg) # :nodoc: + params = msg.get_list do + key, = msg.get_unpack('n') + msg.get_length16 do + SvcParam::ClassHash[key].decode(msg) + end + end + + return self.new(params) + end + + private + + def canonical_key(key) # :nodoc: + case key + when Integer + key + when /\Akey(\d+)\z/ + Integer($1) + when Symbol + SvcParam::ClassHash[key].key_number + else + raise TypeError, 'key must be either String or Symbol' + end + end + end + + + ## + # Base class for SvcParam. [RFC9460] + + class SvcParam + + ## + # Get the presentation name of the SvcParamKey. + + def self.key_name + const_get(:KeyName) + end + + ## + # Get the registered number of the SvcParamKey. + + def self.key_number + const_get(:KeyNumber) + end + + ClassHash = Hash.new do |h, key| # :nodoc: + case key + when Integer + Generic.create(key) + when /\Akey(?\d+)\z/ + Generic.create(key.to_int) + when Symbol + raise KeyError, "unknown key #{key}" + else + raise TypeError, 'key must be either String or Symbol' + end + end + + ## + # Generic SvcParam abstract class. + + class Generic < SvcParam + + ## + # SvcParamValue in wire-format byte string. + + attr_reader :value + + ## + # Create generic SvcParam + + def initialize(value) + @value = value + end + + def encode(msg) # :nodoc: + msg.put_bytes(@value) + end + + def self.decode(msg) # :nodoc: + return self.new(msg.get_bytes) + end + + def self.create(key_number) + c = Class.new(Generic) + key_name = :"key#{key_number}" + c.const_set(:KeyName, key_name) + c.const_set(:KeyNumber, key_number) + self.const_set(:"Key#{key_number}", c) + ClassHash[key_name] = ClassHash[key_number] = c + return c + end + end + + ## + # "mandatory" SvcParam -- Mandatory keys in service binding RR + + class Mandatory < SvcParam + KeyName = :mandatory + KeyNumber = 0 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # Mandatory keys. + + attr_reader :keys + + ## + # Initialize "mandatory" ScvParam. + + def initialize(keys) + @keys = keys.map(&:to_int) + end + + def encode(msg) # :nodoc: + @keys.sort.each do |key| + msg.put_pack('n', key) + end + end + + def self.decode(msg) # :nodoc: + keys = msg.get_list { msg.get_unpack('n')[0] } + return self.new(keys) + end + end + + ## + # "alpn" SvcParam -- Additional supported protocols + + class ALPN < SvcParam + KeyName = :alpn + KeyNumber = 1 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # Supported protocol IDs. + + attr_reader :protocol_ids + + ## + # Initialize "alpn" ScvParam. + + def initialize(protocol_ids) + @protocol_ids = protocol_ids.map(&:to_str) + end + + def encode(msg) # :nodoc: + msg.put_string_list(@protocol_ids) + end + + def self.decode(msg) # :nodoc: + return self.new(msg.get_string_list) + end + end + + ## + # "no-default-alpn" SvcParam -- No support for default protocol + + class NoDefaultALPN < SvcParam + KeyName = :'no-default-alpn' + KeyNumber = 2 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + def encode(msg) # :nodoc: + # no payload + end + + def self.decode(msg) # :nodoc: + return self.new + end + end + + ## + # "port" SvcParam -- Port for alternative endpoint + + class Port < SvcParam + KeyName = :port + KeyNumber = 3 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # Port number. + + attr_reader :port + + ## + # Initialize "port" ScvParam. + + def initialize(port) + @port = port.to_int + end + + def encode(msg) # :nodoc: + msg.put_pack('n', @port) + end + + def self.decode(msg) # :nodoc: + port, = msg.get_unpack('n') + return self.new(port) + end + end + + ## + # "ipv4hint" SvcParam -- IPv4 address hints + + class IPv4Hint < SvcParam + KeyName = :ipv4hint + KeyNumber = 4 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # Set of IPv4 addresses. + + attr_reader :addresses + + ## + # Initialize "ipv4hint" ScvParam. + + def initialize(addresses) + @addresses = addresses.map {|address| IPv4.create(address) } + end + + def encode(msg) # :nodoc: + @addresses.each do |address| + msg.put_bytes(address.address) + end + end + + def self.decode(msg) # :nodoc: + addresses = msg.get_list { IPv4.new(msg.get_bytes(4)) } + return self.new(addresses) + end + end + + ## + # "ipv6hint" SvcParam -- IPv6 address hints + + class IPv6Hint < SvcParam + KeyName = :ipv6hint + KeyNumber = 6 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # Set of IPv6 addresses. + + attr_reader :addresses + + ## + # Initialize "ipv6hint" ScvParam. + + def initialize(addresses) + @addresses = addresses.map {|address| IPv6.create(address) } + end + + def encode(msg) # :nodoc: + @addresses.each do |address| + msg.put_bytes(address.address) + end + end + + def self.decode(msg) # :nodoc: + addresses = msg.get_list { IPv6.new(msg.get_bytes(16)) } + return self.new(addresses) + end + end + + end + ## # A DNS query abstract class. @@ -2341,6 +2692,84 @@ def self.decode_rdata(msg) # :nodoc: return self.new(priority, weight, port, target) end end + + ## + # Common implementation for SVCB-compatible resource records. + + class ServiceBinding + + ## + # Create a service binding resource record. + + def initialize(priority, target, params = []) + @priority = priority.to_int + @target = Name.create(target) + @params = SvcParams.new(params) + end + + ## + # The priority of this target host. + # + # The range is 0-65535. + # If set to 0, this RR is in AliasMode. Otherwise, it is in ServiceMode. + + attr_reader :priority + + ## + # The domain name of the target host. + + attr_reader :target + + ## + # The service paramters for the target host. + + attr_reader :params + + ## + # Whether this RR is in AliasMode. + + def alias_mode? + self.priority == 0 + end + + ## + # Whether this RR is in ServiceMode. + + def service_mode? + !alias_mode? + end + + def encode_rdata(msg) # :nodoc: + msg.put_pack("n", @priority) + msg.put_name(@target, compress: false) + @params.encode(msg) + end + + def self.decode_rdata(msg) # :nodoc: + priority, = msg.get_unpack("n") + target = msg.get_name + params = SvcParams.decode(msg) + return self.new(priority, target, params) + end + end + + ## + # SVCB resource record [RFC9460] + + class SVCB < ServiceBinding + TypeValue = 64 + ClassValue = IN::ClassValue + ClassHash[[TypeValue, ClassValue]] = self # :nodoc: + end + + ## + # HTTPS resource record [RFC9460] + + class HTTPS < ServiceBinding + TypeValue = 65 + ClassValue = IN::ClassValue + ClassHash[[TypeValue, ClassValue]] = self # :nodoc: + end end end end diff --git a/test/resolv/test_svcb_https.rb b/test/resolv/test_svcb_https.rb new file mode 100644 index 0000000..9b8b576 --- /dev/null +++ b/test/resolv/test_svcb_https.rb @@ -0,0 +1,204 @@ +# frozen_string_literal: false +require 'test/unit' +require 'resolv' + +class TestResolvSvcbHttps < Test::Unit::TestCase + # Wraps a RR in answer section + def wrap_rdata(rrtype, rrclass, rdata) + [ + "\x00\x00\x00\x00", # ID/FLAGS + [0, 1, 0, 0].pack('nnnn'), # QDCOUNT/ANCOUNT/NSCOUNT/ARCOUNT + "\x07example\x03com\x00", # NAME + [rrtype, rrclass, 0, rdata.bytesize].pack('nnNn'), # TYPE/CLASS/TTL/RDLENGTH + rdata, + ].join.b + end + + def test_svcparams + params = Resolv::DNS::SvcParams.new([Resolv::DNS::SvcParam::Mandatory.new([1])]) + + assert_equal 1, params.count + + params.add Resolv::DNS::SvcParam::NoDefaultALPN.new + params.add Resolv::DNS::SvcParam::ALPN.new(%w[h2 h3]) + + assert_equal 3, params.count + + assert_equal [1], params[:mandatory].keys + assert_equal [1], params[0].keys + + assert_equal %w[h2 h3], params[:alpn].protocol_ids + assert_equal %w[h2 h3], params[1].protocol_ids + + params.delete :mandatory + params.delete :alpn + + assert_equal 1, params.count + + assert_nil params[:mandatory] + assert_nil params[1] + + ary = params.each.to_a + + assert_instance_of Resolv::DNS::SvcParam::NoDefaultALPN, ary.first + end + + def test_svcb + rr = Resolv::DNS::Resource::IN::SVCB.new(0, 'example.com.') + + assert_equal 0, rr.priority + assert rr.alias_mode? + assert !rr.service_mode? + assert_equal Resolv::DNS::Name.create('example.com.'), rr.target + assert rr.params.empty? + + rr = Resolv::DNS::Resource::IN::SVCB.new(16, 'example.com.', [ + Resolv::DNS::SvcParam::ALPN.new(%w[h2 h3]), + ]) + + assert_equal 16, rr.priority + assert !rr.alias_mode? + assert rr.service_mode? + + assert_equal 1, rr.params.count + assert_instance_of Resolv::DNS::SvcParam::ALPN, rr.params[:alpn] + end + + def test_svcb_encode_order + msg = Resolv::DNS::Message.new(0) + msg.add_answer( + 'example.com.', 0, + Resolv::DNS::Resource::IN::SVCB.new(16, 'foo.example.org.', [ + Resolv::DNS::SvcParam::ALPN.new(%w[h2 h3-19]), + Resolv::DNS::SvcParam::Mandatory.new([4, 1]), + Resolv::DNS::SvcParam::IPv4Hint.new(['192.0.2.1']), + ]) + ) + + expected = wrap_rdata 64, 1, "\x00\x10\x03foo\x07example\x03org\x00" + + "\x00\x00\x00\x04\x00\x01\x00\x04" + + "\x00\x01\x00\x09\x02h2\x05h3-19" + + "\x00\x04\x00\x04\xc0\x00\x02\x01" + + assert_equal expected, msg.encode + end + + + ## Test vectors from [RFC9460] + + def test_alias_mode + wire = wrap_rdata 65, 1, "\x00\x00\x03foo\x07example\x03com\x00" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 0, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.com.'), rr.target + assert_equal 0, rr.params.count + + assert_equal wire, msg.encode + end + + def test_target_name_is_root + wire = wrap_rdata 64, 1, "\x00\x01\x00" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 1, rr.priority + assert_equal Resolv::DNS::Name.create('.'), rr.target + assert_equal 0, rr.params.count + + assert_equal wire, msg.encode + end + + def test_specifies_port + wire = wrap_rdata 64, 1, "\x00\x10\x03foo\x07example\x03com\x00" + + "\x00\x03\x00\x02\x00\x35" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 16, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.com.'), rr.target + assert_equal 1, rr.params.count + assert_equal 53, rr.params[:port].port + + assert_equal wire, msg.encode + end + + def test_generic_key + wire = wrap_rdata 64, 1, "\x00\x01\x03foo\x07example\x03com\x00" + + "\x02\x9b\x00\x05hello" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 1, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.com.'), rr.target + assert_equal 1, rr.params.count + assert_equal 'hello', rr.params[:key667].value + + assert_equal wire, msg.encode + end + + def test_two_ipv6hints + wire = wrap_rdata 64, 1, "\x00\x01\x03foo\x07example\x03com\x00" + + "\x00\x06\x00\x20" + + ("\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" + + "\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x00\x01") + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 1, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.com.'), rr.target + assert_equal 1, rr.params.count + assert_equal [Resolv::IPv6.create('2001:db8::1'), Resolv::IPv6.create('2001:db8::53:1')], + rr.params[:ipv6hint].addresses + + assert_equal wire, msg.encode + end + + def test_ipv6hint_embedded_ipv4 + wire = wrap_rdata 64, 1, "\x00\x01\x07example\x03com\x00" + + "\x00\x06\x00\x10\x20\x01\x0d\xb8\x01\x22\x03\x44\x00\x00\x00\x00\xc0\x00\x02\x21" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 1, rr.priority + assert_equal Resolv::DNS::Name.create('example.com.'), rr.target + assert_equal 1, rr.params.count + assert_equal [Resolv::IPv6.create('2001:db8:122:344::192.0.2.33')], + rr.params[:ipv6hint].addresses + + assert_equal wire, msg.encode + end + + def test_mandatory_alpn_ipv4hint + wire = wrap_rdata 64, 1, "\x00\x10\x03foo\x07example\x03org\x00" + + "\x00\x00\x00\x04\x00\x01\x00\x04" + + "\x00\x01\x00\x09\x02h2\x05h3-19" + + "\x00\x04\x00\x04\xc0\x00\x02\x01" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 16, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.org.'), rr.target + assert_equal 3, rr.params.count + assert_equal [1, 4], rr.params[:mandatory].keys + assert_equal ['h2', 'h3-19'], rr.params[:alpn].protocol_ids + assert_equal [Resolv::IPv4.create('192.0.2.1')], rr.params[:ipv4hint].addresses + + assert_equal wire, msg.encode + end + + def test_alpn_comma_backslash + wire = wrap_rdata 64, 1, "\x00\x10\x03foo\x07example\x03org\x00" + + "\x00\x01\x00\x0c\x08f\\oo,bar\x02h2" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 16, rr.priority + assert_equal Resolv::DNS::Name.create('foo.example.org.'), rr.target + assert_equal 1, rr.params.count + assert_equal ['f\oo,bar', 'h2'], rr.params[:alpn].protocol_ids + + assert_equal wire, msg.encode + end +end From da9c023539b203667dcb7357b7b59e0df43bb1c2 Mon Sep 17 00:00:00 2001 From: Kasumi Hanazuki Date: Fri, 24 Nov 2023 10:42:02 +0900 Subject: [PATCH 3/8] Implement dohpath SvcParam (#33) * Implement dohpath SvcParam [RFC 9461] This patch implements "dohpath" SvcParam proposed in [draft-ietf-add-svcb-dns-08]. This parameter specifies a URI template for the :path used in DNS-over-HTTPS requests. "dohpath" is employed by [DDR], also a to-be-published Proposed Standard that specifies how to upgrade DNS transport to a more secure one, i.d., DNS-over-TLS or DNS-over-HTTPS. DDR is deployed in the public DNS resolvers including Cloudflare DNS, Google Public DNS, and Quad9. [RFC 9461]: https://datatracker.ietf.org/doc/rfc9461/ [DDR]: https://datatracker.ietf.org/doc/draft-ietf-add-ddr/ Co-authored-by: Sorah Fukumori --- lib/resolv.rb | 29 +++++++++++++++++++++++++++++ test/resolv/test_svcb_https.rb | 29 ++++++++++++++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index 6fe9822..9e83353 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -2027,6 +2027,35 @@ def self.decode(msg) # :nodoc: end end + ## + # "dohpath" SvcParam -- DNS over HTTPS path template [RFC9461] + + class DoHPath < SvcParam + KeyName = :dohpath + KeyNumber = 7 + ClassHash[KeyName] = ClassHash[KeyNumber] = self # :nodoc: + + ## + # URI template for DoH queries. + + attr_reader :template + + ## + # Initialize "dohpath" ScvParam. + + def initialize(template) + @template = template.encode('utf-8') + end + + def encode(msg) # :nodoc: + msg.put_bytes(@template) + end + + def self.decode(msg) # :nodoc: + template = msg.get_bytes.force_encoding('utf-8') + return self.new(template) + end + end end ## diff --git a/test/resolv/test_svcb_https.rb b/test/resolv/test_svcb_https.rb index 9b8b576..5dc3163 100644 --- a/test/resolv/test_svcb_https.rb +++ b/test/resolv/test_svcb_https.rb @@ -83,7 +83,6 @@ def test_svcb_encode_order assert_equal expected, msg.encode end - ## Test vectors from [RFC9460] def test_alias_mode @@ -201,4 +200,32 @@ def test_alpn_comma_backslash assert_equal wire, msg.encode end + + ## For [RFC9461] + + def test_dohpath + wire = wrap_rdata 64, 1, "\x00\x01\x03one\x03one\x03one\x03one\x00" + + "\x00\x01\x00\x03\x02h2" + + "\x00\x03\x00\x02\x01\xbb" + + "\x00\x04\x00\x08\x01\x01\x01\x01\x01\x00\x00\x01" + + "\x00\x06\x00\x20" + + ("\x26\x06\x47\x00\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x11" + + "\x26\x06\x47\x00\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x01") + + "\x00\x07\x00\x10/dns-query{?dns}" + msg = Resolv::DNS::Message.decode(wire) + _, _, rr = msg.answer.first + + assert_equal 1, rr.priority + assert_equal Resolv::DNS::Name.create('one.one.one.one.'), rr.target + assert_equal 5, rr.params.count + assert_equal ['h2'], rr.params[:alpn].protocol_ids + assert_equal 443, rr.params[:port].port + assert_equal [Resolv::IPv4.create('1.1.1.1'), Resolv::IPv4.create('1.0.0.1')], + rr.params[:ipv4hint].addresses + assert_equal [Resolv::IPv6.create('2606:4700:4700::1111'), Resolv::IPv6.create('2606:4700:4700::1001')], + rr.params[:ipv6hint].addresses + assert_equal '/dns-query{?dns}', rr.params[:dohpath].template + + assert_equal wire, msg.encode + end end From 5e2d48708bb2d28a344d2c027fea637a32df0621 Mon Sep 17 00:00:00 2001 From: KJ Tsanaktsidis Date: Fri, 24 Nov 2023 15:06:20 +1100 Subject: [PATCH 4/8] Catch EPROTONOSUPPORT as a sign of no IPv6 as well (#41) If IPv6 is disabled inside a freebsd jail, it seems this returns EPROTONOSUPPORT and not EAFNOSUPPORT. In both cases, we should simply try some other listed DNS servers. Fixes [Bug #19928] https://bugs.ruby-lang.org/issues/19928 --- lib/resolv.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index 9e83353..0c96ee8 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -750,7 +750,7 @@ def lazy_initialize next if @socks_hash[bind_host] begin sock = UDPSocket.new(af) - rescue Errno::EAFNOSUPPORT + rescue Errno::EAFNOSUPPORT, Errno::EPROTONOSUPPORT next # The kernel doesn't support the address family. end @socks << sock From 09d141de384730d0a5e98f72230281f6503b8e38 Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Mon, 26 Aug 2019 20:30:59 -0700 Subject: [PATCH 5/8] Support a :use_ipv6 option to Resolv#initialize When set, supports returning IPv6 results even if there is no public IPv6 address for the system. Implements Ruby Feature #14922 --- lib/resolv.rb | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index 0c96ee8..ef0f4b4 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -84,8 +84,8 @@ def self.each_name(address, &proc) ## # Creates a new Resolv using +resolvers+. - def initialize(resolvers=[Hosts.new, DNS.new]) - @resolvers = resolvers + def initialize(resolvers=nil, use_ipv6: nil) + @resolvers = resolvers || [Hosts.new, DNS.new(DNS::Config.default_config_hash.merge(use_ipv6: use_ipv6))] end ## @@ -408,6 +408,11 @@ def each_address(name) end def use_ipv6? # :nodoc: + use_ipv6 = @config.use_ipv6? + unless use_ipv6.nil? + return use_ipv6 + end + begin list = Socket.ip_address_list rescue NotImplementedError @@ -1006,6 +1011,7 @@ def lazy_initialize @mutex.synchronize { unless @initialized @nameserver_port = [] + @use_ipv6 = nil @search = nil @ndots = 1 case @config_info @@ -1030,6 +1036,9 @@ def lazy_initialize if config_hash.include? :nameserver_port @nameserver_port = config_hash[:nameserver_port].map {|ns, port| [ns, (port || Port)] } end + if config_hash.include? :use_ipv6 + @use_ipv6 = config_hash[:use_ipv6] + end @search = config_hash[:search] if config_hash.include? :search @ndots = config_hash[:ndots] if config_hash.include? :ndots @@ -1085,6 +1094,10 @@ def nameserver_port @nameserver_port end + def use_ipv6? + @use_ipv6 + end + def generate_candidates(name) candidates = nil name = Name.create(name) From 0de996dbca7977361ff439dbd6ba69e4b57b07be Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Mon, 8 Mar 2021 15:28:04 -0800 Subject: [PATCH 6/8] Fix the fallback from UDP to TCP due to message truncation If truncation is detected, return immediately from decode so that the UDP connection can be retried with TCP, instead of failing to decode due to trying to decode a truncated response. Fixes [Bug #13513] --- lib/resolv.rb | 6 +- test/resolv/test_dns.rb | 172 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 2 deletions(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index ef0f4b4..f90df7d 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -1533,13 +1533,15 @@ def Message.decode(m) id, flag, qdcount, ancount, nscount, arcount = msg.get_unpack('nnnnnn') o.id = id + o.tc = (flag >> 9) & 1 + o.rcode = flag & 15 + return o unless o.tc.zero? + o.qr = (flag >> 15) & 1 o.opcode = (flag >> 11) & 15 o.aa = (flag >> 10) & 1 - o.tc = (flag >> 9) & 1 o.rd = (flag >> 8) & 1 o.ra = (flag >> 7) & 1 - o.rcode = flag & 15 (1..qdcount).each { name, typeclass = msg.get_question o.add_question(name, typeclass) diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb index d9db840..c0400b4 100644 --- a/test/resolv/test_dns.rb +++ b/test/resolv/test_dns.rb @@ -44,6 +44,16 @@ def teardown BasicSocket.do_not_reverse_lookup = @save_do_not_reverse_lookup end + def with_tcp(host, port) + t = TCPServer.new(host, port) + begin + t.listen(1) + yield t + ensure + t.close + end + end + def with_udp(host, port) u = UDPSocket.new begin @@ -157,6 +167,168 @@ def test_query_ipv4_address } end + def test_query_ipv4_address_truncated_tcp_fallback + begin + OpenSSL + rescue LoadError + skip 'autoload problem. see [ruby-dev:45021][Bug #5786]' + end if defined?(OpenSSL) + + num_records = 50 + + with_udp('127.0.0.1', 0) {|u| + _, server_port, _, server_address = u.addr + with_tcp('127.0.0.1', server_port) {|t| + client_thread = Thread.new { + Resolv::DNS.open(:nameserver_port => [[server_address, server_port]]) {|dns| + dns.getresources("foo.example.org", Resolv::DNS::Resource::IN::A) + } + } + udp_server_thread = Thread.new { + msg, (_, client_port, _, client_address) = Timeout.timeout(5) {u.recvfrom(4096)} + id, word2, qdcount, ancount, nscount, arcount = msg.unpack("nnnnnn") + qr = (word2 & 0x8000) >> 15 + opcode = (word2 & 0x7800) >> 11 + aa = (word2 & 0x0400) >> 10 + tc = (word2 & 0x0200) >> 9 + rd = (word2 & 0x0100) >> 8 + ra = (word2 & 0x0080) >> 7 + z = (word2 & 0x0070) >> 4 + rcode = word2 & 0x000f + rest = msg[12..-1] + assert_equal(0, qr) # 0:query 1:response + assert_equal(0, opcode) # 0:QUERY 1:IQUERY 2:STATUS + assert_equal(0, aa) # Authoritative Answer + assert_equal(0, tc) # TrunCation + assert_equal(1, rd) # Recursion Desired + assert_equal(0, ra) # Recursion Available + assert_equal(0, z) # Reserved for future use + assert_equal(0, rcode) # 0:No-error 1:Format-error 2:Server-failure 3:Name-Error 4:Not-Implemented 5:Refused + assert_equal(1, qdcount) # number of entries in the question section. + assert_equal(0, ancount) # number of entries in the answer section. + assert_equal(0, nscount) # number of entries in the authority records section. + assert_equal(0, arcount) # number of entries in the additional records section. + name = [3, "foo", 7, "example", 3, "org", 0].pack("Ca*Ca*Ca*C") + assert_operator(rest, :start_with?, name) + rest = rest[name.length..-1] + assert_equal(4, rest.length) + qtype, _ = rest.unpack("nn") + assert_equal(1, qtype) # A + assert_equal(1, qtype) # IN + id = id + qr = 1 + opcode = opcode + aa = 0 + tc = 1 + rd = rd + ra = 1 + z = 0 + rcode = 0 + qdcount = 0 + ancount = num_records + nscount = 0 + arcount = 0 + word2 = (qr << 15) | + (opcode << 11) | + (aa << 10) | + (tc << 9) | + (rd << 8) | + (ra << 7) | + (z << 4) | + rcode + msg = [id, word2, qdcount, ancount, nscount, arcount].pack("nnnnnn") + type = 1 + klass = 1 + ttl = 3600 + rdlength = 4 + num_records.times do |i| + rdata = [192,0,2,i].pack("CCCC") # 192.0.2.x (TEST-NET address) RFC 3330 + rr = [name, type, klass, ttl, rdlength, rdata].pack("a*nnNna*") + msg << rr + end + u.send(msg[0...512], 0, client_address, client_port) + } + tcp_server_thread = Thread.new { + ct = t.accept + msg = ct.recv(512) + msg.slice!(0..1) # Size (only for TCP) + id, word2, qdcount, ancount, nscount, arcount = msg.unpack("nnnnnn") + qr = (word2 & 0x8000) >> 15 + opcode = (word2 & 0x7800) >> 11 + aa = (word2 & 0x0400) >> 10 + tc = (word2 & 0x0200) >> 9 + rd = (word2 & 0x0100) >> 8 + ra = (word2 & 0x0080) >> 7 + z = (word2 & 0x0070) >> 4 + rcode = word2 & 0x000f + rest = msg[12..-1] + assert_equal(0, qr) # 0:query 1:response + assert_equal(0, opcode) # 0:QUERY 1:IQUERY 2:STATUS + assert_equal(0, aa) # Authoritative Answer + assert_equal(0, tc) # TrunCation + assert_equal(1, rd) # Recursion Desired + assert_equal(0, ra) # Recursion Available + assert_equal(0, z) # Reserved for future use + assert_equal(0, rcode) # 0:No-error 1:Format-error 2:Server-failure 3:Name-Error 4:Not-Implemented 5:Refused + assert_equal(1, qdcount) # number of entries in the question section. + assert_equal(0, ancount) # number of entries in the answer section. + assert_equal(0, nscount) # number of entries in the authority records section. + assert_equal(0, arcount) # number of entries in the additional records section. + name = [3, "foo", 7, "example", 3, "org", 0].pack("Ca*Ca*Ca*C") + assert_operator(rest, :start_with?, name) + rest = rest[name.length..-1] + assert_equal(4, rest.length) + qtype, _ = rest.unpack("nn") + assert_equal(1, qtype) # A + assert_equal(1, qtype) # IN + id = id + qr = 1 + opcode = opcode + aa = 0 + tc = 0 + rd = rd + ra = 1 + z = 0 + rcode = 0 + qdcount = 0 + ancount = num_records + nscount = 0 + arcount = 0 + word2 = (qr << 15) | + (opcode << 11) | + (aa << 10) | + (tc << 9) | + (rd << 8) | + (ra << 7) | + (z << 4) | + rcode + msg = [id, word2, qdcount, ancount, nscount, arcount].pack("nnnnnn") + type = 1 + klass = 1 + ttl = 3600 + rdlength = 4 + num_records.times do |i| + rdata = [192,0,2,i].pack("CCCC") # 192.0.2.x (TEST-NET address) RFC 3330 + rr = [name, type, klass, ttl, rdlength, rdata].pack("a*nnNna*") + msg << rr + end + msg = "#{[msg.bytesize].pack("n")}#{msg}" # Prefix with size + ct.send(msg, 0) + ct.close + } + result, _ = assert_join_threads([client_thread, udp_server_thread, tcp_server_thread]) + assert_instance_of(Array, result) + assert_equal(50, result.length) + result.each_with_index do |rr, i| + assert_instance_of(Resolv::DNS::Resource::IN::A, rr) + assert_instance_of(Resolv::IPv4, rr.address) + assert_equal("192.0.2.#{i}", rr.address.to_s) + assert_equal(3600, rr.ttl) + end + } + } + end + def test_query_ipv4_duplicate_responses begin OpenSSL From c0e5abab76609f41d60dbd714ce6f94b737337e2 Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Fri, 17 Sep 2021 17:17:20 -0700 Subject: [PATCH 7/8] Support a :raise_timeout_errors option to raise timeouts as Resolv::ResolvError This allows to differentiate a timeout from an NXDOMAIN response. Fixes [Bug #18151] --- lib/resolv.rb | 6 ++++++ test/resolv/test_dns.rb | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/lib/resolv.rb b/lib/resolv.rb index f90df7d..6879022 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -312,6 +312,8 @@ def self.open(*args) # String:: Path to a file using /etc/resolv.conf's format. # Hash:: Must contain :nameserver, :search and :ndots keys. # :nameserver_port can be used to specify port number of nameserver address. + # :raise_timeout_errors can be used to raise timeout errors + # as exceptions instead of treating the same as an NXDOMAIN response. # # The value of :nameserver should be an address string or # an array of address strings. @@ -1041,6 +1043,7 @@ def lazy_initialize end @search = config_hash[:search] if config_hash.include? :search @ndots = config_hash[:ndots] if config_hash.include? :ndots + @raise_timeout_errors = config_hash[:raise_timeout_errors] if @nameserver_port.empty? @nameserver_port << ['0.0.0.0', Port] @@ -1131,6 +1134,7 @@ def generate_timeouts def resolv(name) candidates = generate_candidates(name) timeouts = @timeouts || generate_timeouts + timeout_error = false begin candidates.each {|candidate| begin @@ -1142,11 +1146,13 @@ def resolv(name) end } } + timeout_error = true raise ResolvError.new("DNS resolv timeout: #{name}") rescue NXDomain end } rescue ResolvError + raise if @raise_timeout_errors && timeout_error end end diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb index c0400b4..63ab666 100644 --- a/test/resolv/test_dns.rb +++ b/test/resolv/test_dns.rb @@ -630,4 +630,28 @@ def dns.each_resource(name, typeclass) end assert_raise(Resolv::ResolvError) { dns.each_name('example.com') } end + + def test_unreachable_server + unreachable_ip = '127.0.0.1' + sock = UDPSocket.new + sock.connect(unreachable_ip, 53) + begin + sock.send('1', 0) + rescue Errno::ENETUNREACH, Errno::EHOSTUNREACH + else + omit('cannot test unreachable server, as IP used is reachable') + end + + config = { + :nameserver => [unreachable_ip], + :search => ['lan'], + :ndots => 1 + } + r = Resolv.new([Resolv::DNS.new(config)]) + assert_equal([], r.getaddresses('www.google.com')) + + config[:raise_timeout_errors] = true + r = Resolv.new([Resolv::DNS.new(config)]) + assert_raise(Resolv::ResolvError) { r.getaddresses('www.google.com') } + end end From 49aefa3bba1b5c4af0826bee431a697451f9ed14 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Sun, 26 Nov 2023 10:03:45 +0900 Subject: [PATCH 8/8] Close leaked FD --- test/resolv/test_dns.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb index 63ab666..20c3408 100644 --- a/test/resolv/test_dns.rb +++ b/test/resolv/test_dns.rb @@ -653,5 +653,7 @@ def test_unreachable_server config[:raise_timeout_errors] = true r = Resolv.new([Resolv::DNS.new(config)]) assert_raise(Resolv::ResolvError) { r.getaddresses('www.google.com') } + ensure + sock&.close end end