gitlab.mim-libre.fr / EOLE / amon-3 / opnsense / src
OPNsense operating system on top of HardenedBSD
étoiles: 0
forks: 0
issues ouvertes:
licence: other
langage:
dépendances analysées:
229
date de création: il y a environ 4 ans
date de mise à jour: il y a plus de 3 ans
enregistré: il y a 11 mois
dernière synchronisation: il y a environ 23 heures
- 1.Introduction *
- 2.History *
- 3.Goals *
- 3liststhegoals ,whileSection4liststheexplicitnon
- 4.Non-Goals *
- 5.Choices *
- ADSrecordswouldindicateareferral. *
- ASOArecordwouldindicatethatthiswasaNODATAanswer. *
- AbsenceofNSrecordwouldindicateaNODATAansweraswell. *
- Addingfullauthoritysupport ,requiresmuchmorecode,andmorecomplex
- Adirectqueryforthatnamewillattempttogetamsgintothemessage *
- Alsoforzonesforwhichnochainoftrustexists ,butaDSisgivenbythe
- Alsoredirectionofdomainnameswithfixeddataisneededbyservice *
- Amisconfigurationthatsometimeshappensiswheretheparentandchild *
- Andthuspreventscache-snooping *
- ByW.C.A.Wijngaards ,NLnetLabs,October2006.
- Concluding ,aspoofoftheparentdelegationcanbeusedformanycases
- Contents *
- DataintheDNSisstoredinResourceRecordsets *
- Forreferrals ,delegationsthataddasinglelabelcanbecheckedtobe
- Forsomeboxesitisnecessarytoprobeforeveryfailingquery ,a
- However ,someauthorityfeaturesareexpectedinarecursor.Thingslike
- Ifmanyqueriesaremade ,andtheyaremadetonamesforwhichthe
- Ifthecachememoryislow *
- IfthedomainisDNSSECsigned ,bytheway,thenNSECrecordsare
- IftheotherdomainissignedbyDNSSEC ,thefakeswillbedetected.
- InSection2theoriginsoftheUnboundprojectaredocumented.Section *
- Insteadofafalsepositive ,wewantfalsenegatives
- Insummary ,thehardengluefeaturepresentsasecurityriskif
- Itdoesdosomerrsigduplicateremoval ,inthemsgparser,fordnssecqtype
- Itminimizesthechancesofadroppedquerymakinga *
- Itsucceedsifonehas0x20intact ,orelseallareequal.
- Mainpoints *
- MattLarson *
- NSECandNSEC3recordswereobtained *
- NameSystem *
- Notallglueisletthrough *
- Otherwise ,itresultsina5secondwaittimebeforeEDNStimeoutis
- Otherwise ,servfailisreturnedtotheclient.
- RRmaybeinserted ,withinthemessageTTLtime,andthusreturnthe
- RequirementsforRecursiveCachingResolver *
- Retriesonavalidationfailurearenow5xtoadifferentnameserverIP *
- SissonandRoyArendsfromNominet.Around2006theideacametocreate *
- So ,onlymessagesthatidentifythezoneareusedtomarkthezone
- SoitwillfaithfullynegativecachefortheexactTTLasoriginally *
- SomemiddleboxesdropEDNS0queries ,mainlywhenforwarding,notwhen
- Sopossibly ,forcomplicatedsetups,withmultiple
- ThatincludesalmostallnegativeresponsesandalsoA ,AAAAqtypes.
- Thatwouldbemostresponsesfromservers. *
- TheJavaprototypeworkedverywell ,withcontributionsfromGeoff
- Thecasingfromthequerynameisusedinpreferencetothecasing *
- ThecurrentunboundcodeusesanegativecacheforqueriesfortypeDS. *
- Thednssec-lamenessdetectionisusedtodetectoperatorfailures ,
- Thedraftdescribestobackofftothenextserver ,andgothroughall
- Thefollowingissueneedstoberesolved *
- Thegluethatisletthroughisstoredinthecache *
- Thelast50 *
- Thelimitedsupportallowsaddingsomestaticdata *
- ThemaincomponentsaretheValidatorthatvalidatesthesecurity *
- ThemessagehasaTTLsmallerorequaltotheTTLoftheanswerRR. *
- Thenthereceiverdoesnotknowwhetherthiswasareferral *
- Theservercanbespoofedbygettingittovisitaespeciallyprepared *
- ThesesituationsbecomeconsistentoncetheoriginalTTLexpires. *
- Thetimeoutcanbeconfigured. *
- TheunboundresolverprojectstartedbyBillManning ,DavidBlacka,and
- Theyaresenttoarandomserver ,butnooneaddressmorethan4times.
- Thisdeniesqueriesthatarenotauthoritative ,orversion.bind,orany.
- Thisisarecursiveserver ,andauthorityfeaturesareoutofscope.
- ThisistherequirementsdocumentforaDNSnameserverandaimsto *
- Thisprojectaimstodevelopsuchanameserverinmodularcomponents ,so
- Thisspeedsupbuildingchainsoftrust ,andusesNSECandNSEC3
- Thisworksverywellwhendetectinganaddressthatyouusemuch-like *
- Thus ,evenlongqueriesgeta50
- Tocombatthisthefirst50 *
- UnboundassumesEDNS0supportforthefirstquery.Thenitcandetect *
- UnboundkeepsTTLvaluesformessageformats ,andthusrcodes,such
- Unboundpreservesthecasingreceivedfromauthorityserversasbest *
- Whenanewquerycomesin ,andaplaceinthefirst50
- Youcanputauthoritydataonaseparateserver ,andsettheserverin
- additionalsection *
- addresses ,andthenmakes3
- aforwarderaddress-whichiswherethemiddleboxesneedtobedetected. *
- afull-fledgedCimplementationreadyfordeployeduse.NLnetLabs *
- andqueriedforagain ,sothatitsproofcanbecheckedagain.
- andtorespondwithafixedrcode *
- answerwillbeputinthecache ,markedas
- areferral.Whenansweringtoclients ,aSOArecordisneededfor
- arepickedup. *
- aretheonlyonesworking ,andserversreportedbythechilddonot.
- asNXDOMAIN.Alsoitkeepsthelatestrrsetsintherrsetcache. *
- ascertainsthatRRSIGsareOK *
- asingleprobequeryissent.Thisprobehasasub-secondtimeout ,and
- asmoreglueispresentfortherecursiveservicetouse.Thefeature *
- aspossible.Itcompresseswithoutcase ,socasecangetlostthere.
- atno-dataproof.Itcouldbedeterminedbyattemptingtoprove *
- authoritativeservers ,doesnotperformduplicateremoval.
- authorityserversdonotrespond ,thentherequestlistforunbound
- beforethevalidatorwillproperlyverifythemessages. *
- behaviour. *
- bynewerquerieswhenolder *
- cache.SinceAandAAAAqueriesarenotsynthesizedbytheunboundcache ,
- checkNSEC *
- clientswhenpossible *
- createdaJavabasedprototyperesolvercalledUnbound.Thebasic *
- datafrompreviousqueries.Thenetworkingandquerymanagementcode *
- datafromtheparentofazone.Thiscanbeused ,byspoofingtheparent,
- designdecisionsofcleanmoduleswasexecuted. *
- detectdnssec-lamenessislessofaproblemthanmarkinghonest *
- detected ,whichisslowbutitworksatleast.
- disabled.Disablingthefeatureleadstopossiblebetterperformance *
- documentthegoalsandnon-goalsoftheproject.TheDNS *
- domain.Thisdomaintheninsertsanaddressforanotherauthoritative *
- doubt.Thiscaseisvalidatedbyunboundasa *
- duplicates ,butwhenpresentedwithduplicatesonthewirefromthe
- effectofmanyresolverslessandeasiertohandle ,butpenalizes
- eithercondition *
- falselyEDNS-nonsupporting ,andthusDNSSEC
- fillsupfast.Thisresultsindenialofservicefornewqueries. *
- finalanswer.Tohelplookups ,unboundwillhoweverusetheparent
- fingerprintsondatasets ,theIteratorthatsendsqueriestothe
- fromtheirzone ,thiscoversmostdelegation
- fromtheserverwithoutmakingunboundauthoritativeforthezones. *
- havedifferentNS ,glueinformation.Thechildisauthoritative,and
- hierarchicalDNSserversthatownthedataandtheCachethatstores *
- iftheserverresponds *
- indicatesazoneversionwherethisdomainisnotanylongerNXDOMAIN. *
- individualresolversbyhavinglessprobesandalongertimebeforefixes *
- isdetected.Insteadthezonethatisdnssec-lamebecomesbogus. *
- isimplementedsoastominimisethesecurityrisk ,whiletryingto
- ispreferred.Otherwise ,itcanreplaceolderqueriesoutofthelast50
- iswhenaserverhasthezoneinquestion ,butlacksdnssecdata,suchas
- keepthisperformancegain. *
- keycacheadditionally ,aftertheprobing,abadkeyentryiscreatedthat
- lame ,andnotusedfor900seconds,andthesecondwillresultina
- lame.ThezoneisidentifiedbySOAorNSRRsetsintheanswer *
- localhost ,reverselookupfor127.0.0.1,orblockingAS112traffic.
- looksupdataintheDNSforclientsandcachespreviousanswersto *
- maintenance. *
- makestheentirezonebogusfor900seconds.Thisisafixedvalueat *
- messagefromcachewhichis *
- middleboxes ,andcandetecttheoccasionalauthoritythatdropsEDNS.
- negativecachedNXDOMAINreplywithaSOARRwheretheserialnumber *
- nooutofzoneglueisusedforfurtherresolving ,ismorecomplicated
- o0x20backoff. *
- oAnauthoritativenameserver. *
- oAvalidatingrecursiveDNSresolver. *
- oCasepreservation *
- oCodediversityintheDNSresolvermonoculture. *
- oDNSSECsupport. *
- oDenialofserviceprotection *
- oDrop-inreplacementforBINDapartfromconfig. *
- oEDNSfallback.IsdoneaccordingtotheEDNSRFC *
- oElegantdesignofvalidator ,resolver,cachemodules.
- oFailureofvalidationandprobing. *
- oFullyRFCcompliant. *
- oHighlyportable ,targetsincludemodernUnixsystems,suchas
- oHighperformance *
- oIfaclientmakesaquerywithoutRDbit ,inthecaseofareturned
- oInC ,opensource
- oNXDOMAINandSOAserialnumbers. *
- oParentandchildwithdifferentnameserverinformation. *
- oRobust. *
- oSOArecordsinnegativecachedanswersforDSqueries. *
- oSmallestaspossiblecomponentthatdoesthejob. *
- oStub-zonescanbeconfigured *
- oTheharden-gluefeature ,whenyesalloutofzoneglueisdeleted,when
- oThemethodbywhichdnssec-lamenessisdetectedisnotsecure.DNSSEClame *
- oToomanyFeatures. *
- oUsedas *
- oauthorityfeatures. *
- ofdenialofservice.I.e.acompletelydifferentNSsetcouldbereturned ,
- oftheauthorityserver.ThisisthesameasBIND.RFC4343allowseither *
- onaserver ,dnssec
- oneortworound-tripresolvescanbedoneinthelast50 *
- ordnssec-non-lamenessinthechild.Thefirstresultsintheservermarked *
- orfc2181discouragesduplicatesRRsinRRsets.unbounddoesnotcreate *
- ortheinformationwithheld.Allofthesealterationscanbecaughtby *
- otheaccesscontroldeniesqueriesbeforeanyotherprocessing. *
- parent ,dnssec
- presentintheNSrecordintheauthoritysectionisletthrough. *
- project.Section5discusseschoicesmadeduringdevelopment. *
- proofscouldbevalid ,orneithercouldbevalid,whichcreates
- providers.Limitedsupportisaddedspecificallytoaddressthis. *
- queriesandgetanswersfromthecache *
- queriesareperformedtogetthedata. *
- reassurancethattheDNSserverdoesEDNSdoesnotmeanthatpathcan *
- returnedtotheclient. *
- routingpackets.Todetectthis ,whentimeoutskeephappening,asthe
- rrsigandany ,becauseofspecialrrsigprocessinginthemsgparser.
- runasaserver ,butalinkedintoanapplication
- serverintothecache ,whenvisitingthatotherdomain,thisaddressmay
- serverslame.dnssec-lamenessisaconfigerroranddeservesthetrouble. *
- serversseveraltimes.Unboundgoesongetthefulllistofnameserver *
- signatures.Themethodtodetectdnsseclamenesslooksatnonvalidated *
- solaris ,linux,andmaybealsothewindowsplatform.
- specifiedforanNXDOMAINmessage ,butsendanewerSOArecordif
- speedupprocessingiscalledacaching ,recursivenameserver.
- spoofedgluetoaclient.Whenthemessageexpires ,itisrefetchedand
- structureforqueries. *
- support *
- takelargeDNSanswers. *
- thanthat ,seebelow.
- thatalsoDNSSEC *
- thebareNSEC *
- thecachedRRisupdatedwiththecorrectcontent. *
- thecorrectmessageformat ,aSOArecordispickedfromthecache
- themessagecache.IfaDNSKEYorDSfailsinthechainoftrustinthe *
- thenbeusedtosendqueriesto.Andfakeanswersmaybereturned. *
- theninterfacewiththemodulestoperformthenecessaryprocessing. *
- thevalidatoriftheparentissigned ,andresultin900secondsbogus.
- thishasbeenfoundinthemeantime.Inpoint ,thiscouldleadtoa
- thisquerywillbe *
- thistimeandisconservativeinsendingprobes.Itmakesthecompound *
- thosemisconfigureddomainswheretheserversreportedbytheparent *
- thusremovethe *
- thususefultocachedatatospeedupfuturelookups.Aserverthat *
- timeoutapproached5-10seconds ,andEDNSstatushasnotbeendetectedyet,
- timetolive *
- tocreateafalsesenseofdnssec-lamenessinthechild ,orafalsesense
- unbound.confasstubforthosezones ,thisallowsclientstoaccessdata
- unboundwillnottrustinformationfromtheparentnameserversasthe *
- updatedfromanotherquery ,theNXDOMAINisdroppedfromthecache,
- updatedmorecarefully.IfoneoftheNSECrecordsinanNXDOMAINis *
- validatorfailure *
- versionoftheglueasalastresortlookup.Thisresolveslookupsfor *
- volunteeredtowritethisimplementation. *
- whichispresentinadelegation ,oftypeAandAAAA,wherethenameis
- willnotbepresentinthereplytotheclient *
- withattemptatno-DSproof *