Skip to content

conditional message comparison

Some fields of DNS messages need to be compared (and match) only under certain conditions.

Open question: How to express these conditions / checks?

  • add all-in-one check authorityIfRelevant with all the login under it
  • more granular checks like authorityIfNXDOMAIN, authorityIfNODATA, etc.
  • support fancy conditions like if (rcode == NXDOMAIN) {authority} etc.

Example 1

If DNS answer is a terminal answer with RCODE = NOERROR and no delegation, it does not make sense to insist on equality of AUTHORITY section because its content is not standardized for this case. E.g. Unbound will stuff in NS records even if they are not strictly required, and BIND with minimal-responses: yes (or version 9.12 and newer) will not add these NS records.

Example 2

On the other hand if the answer has RCODE = NXDOMAIN then content of AUTHORITY section should match because it is mandatory to add SOA record in there, and possibly proof-of-nonexistence if the domain is signed.

Example 3

Nodata response, i.e. RCODE = NOERROR accompanied with ANSWER section containing just CNAME/DNAME (where QNAME and QTYPE does not match the values in ANSWER section) should again contain proof proof-of-nonexistence if the domain is signed.

Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information