{resolver,validator}: provide more EDE codes. (!1590) · Merge requests · Knot projects / Knot Resolver · GitLab

GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our documentation.

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

menakite requested to merge menakite/knot-resolver:add-edes into master Aug 11, 2024

dnssec:

Provide a way to retrieve whether a DNSKEY has the Zone Key Bit set, and add bindings for Lua modules (kr_dnssec_key_zonekey_flag), like kr_dnssec_key_sep_flag.
In kr_ds_algo_support() provide a way to retrieve what is wrong with the keys.
Check if a RRSIG RR has the signature expired already before inception time.

validator:

Set EDE "Unsupported NSEC3 Iterations Value" when downgrading.
Set EDE "Signature Expired before Valid" when checking RRSIGs.
Set EDE "No Zone Key Bit Set" when a DNSKEY with the Zone Key Bit set to 0 is discarded.
Instead of the generic "Other Error" with extra text "unsupported digest/key", set appropriate EDEs "Unsupported DNSKEY Algorithm" and "Unsupported DS Digest Type".

resolver:

Set EDE "No Reachable Authority" when it is decided that all authoritative servers are unreachable or misbehaving.

Depends on/supersedes !1585 (merged).

Edited Aug 13, 2024 by menakite