conditional message comparison
Some fields of DNS messages need to be compared (and match) only under certain conditions.
Open question: How to express these conditions / checks?
-
add all-in-one check authorityIfRelevant
with all the login under it -
more granular checks like authorityIfNXDOMAIN
,authorityIfNODATA
, etc. -
support fancy conditions like if (rcode == NXDOMAIN) {authority}
etc.
Example 1
If DNS answer is a terminal answer with RCODE = NOERROR
and no delegation, it does not make sense to insist on equality of AUTHORITY
section because its content is not standardized for this case. E.g. Unbound will stuff in NS records even if they are not strictly required, and BIND with minimal-responses: yes
(or version 9.12 and newer) will not add these NS records.
Example 2
On the other hand if the answer has RCODE = NXDOMAIN
then content of AUTHORITY
section should match because it is mandatory to add SOA record in there, and possibly proof-of-nonexistence if the domain is signed.
Example 3
Nodata response, i.e. RCODE = NOERROR
accompanied with ANSWER
section containing just CNAME/DNAME (where QNAME and QTYPE does not match the values in ANSWER
section) should again contain proof proof-of-nonexistence if the domain is signed.