From vladimir.levijev at gmail.com Mon May 7 14:20:19 2018 From: vladimir.levijev at gmail.com (Vladimir Levijev) Date: Mon, 07 May 2018 14:20:19 +0000 Subject: [ldns-users] DNS RCODEs In-Reply-To: References: Message-ID: On Thu, Mar 22, 2018 at 10:26 AM Vladimir Levijev < vladimir.levijev at gmail.com> wrote: > Currently ldns supports RCODES from 0 to 10: > /* rcodes for pkts */ > enum ldns_enum_pkt_rcode { > LDNS_RCODE_NOERROR = 0, > LDNS_RCODE_FORMERR = 1, > LDNS_RCODE_SERVFAIL = 2, > LDNS_RCODE_NXDOMAIN = 3, > LDNS_RCODE_NOTIMPL = 4, > LDNS_RCODE_REFUSED = 5, > LDNS_RCODE_YXDOMAIN = 6, > LDNS_RCODE_YXRRSET = 7, > LDNS_RCODE_NXRRSET = 8, > LDNS_RCODE_NOTAUTH = 9, > LDNS_RCODE_NOTZONE = 10 > }; > while RFC lists more (16-23 are missing): https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 > Is there a reason for that or is adding the rest planned for the fugure? Getting back to this old question. We found out that there are actually 2 groups of RCODEs: - unextended (0-15) available in DNS packet header - extended (>16) available in different resource records Quoting https://tools.ietf.org/html/rfc2929#section-2.3 : [...] It would appear from the DNS header above that only four bits of RCODE, or response/error code are available. However, RCODEs can appear not only at the top level of a DNS response but also inside OPT RRs [RFC 2671], TSIG RRs [RFC 2845], and TKEY RRs [RFC 2930]. The OPT RR provides an eight bit extension resulting in a 12 bit RCODE field and the TSIG and TKEY RRs have a 16 bit RCODE field. [...] Is there a plan to support extended RCODEs? Cheers, VL From rick.vanderzwet at anywi.com Wed May 9 09:10:16 2018 From: rick.vanderzwet at anywi.com (Rick van der Zwet) Date: Wed, 9 May 2018 11:10:16 +0200 Subject: [ldns-users] timeout query option in drill Message-ID: Hi, I am converting scripting [1] to use drill instead of dig, how-ever i run into a issue which causing the script to run too long. dig (named) has a timeout flag which could limit the run time of a single query: +timeout=T Sets the timeout for a query to T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. drill lacks this option, which is slightly annoying since we like to use tooling in scripting, in which all response above 1 second are considered useless. I have hacked together a small patch (attached) which adds a timeout flag to drill. Since the usual suspects of flags (-t -T) where taken I choose '-W' (wait). Best regards, -Rick [1] https://svn.wirelessleiden.nl/svn/code/hybrid/branches/releng-11/nanobsd/files/tools/nameserver-shuffle -------------- next part -------------- A non-text attachment was scrubbed... Name: drill-add-timeout-option.patch Type: text/x-patch Size: 2983 bytes Desc: not available URL: From sca at andreasschulze.de Mon May 21 14:56:35 2018 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 21 May 2018 16:56:35 +0200 Subject: [ldns-users] using ldns-revoke Message-ID: Hello, I like to understand the revoked state of a key. As far as I learned, I could set a flag in a DNSSEC key to mark that key as revoked. That's what ldns-revoke does. But what now? I should publish the revoked key as self signed? Which tools I may use? my workflow (without ZSKs) is as follow: - take plain, unsigned zone data - append DNSSEY data - sign with the private key - publish the signed zone On key rollover I've to append two key's DNSKEY data, one with revoke bit set. but it isn't self-signed automatically. ???? Andreas