Redistribute rules and comments to appropriate locations.
This commit is contained in:
Tony Garnock-Jones
parent
ba92bbb1ff
commit
0c0e920356
|
|
@ -12,6 +12,54 @@
|
|||
(import udp-operations^)
|
||||
(export network-query^)
|
||||
|
||||
;; DJB's rules for handling DNS responses. Some of these are handled
|
||||
;; here (specifically, rules 2 through 5, in the action of
|
||||
;; incorporate-dns-reply), some are handled in resolver-unit.rkt (rule
|
||||
;; 1, in the action of answer-from-zone):
|
||||
|
||||
;; <blockquote>
|
||||
;; When a cache receives a normal DNS response, it learns exactly one
|
||||
;; of the following five pieces of information:
|
||||
;;
|
||||
;; 1. ``The query was not answered because the query name is an
|
||||
;; alias. I need to change the query name and try again.'' This
|
||||
;; applies if the answer section of the response contains a CNAME
|
||||
;; record for the query name and CNAME does not match the query type.
|
||||
;;
|
||||
;; 2. ``The query name has no records answering the query, and is also
|
||||
;; guaranteed to have no records of any other type.'' This applies if
|
||||
;; the response code is NXDOMAIN and #1 doesn't apply. The amount of
|
||||
;; time that this information can be cached depends on the contents of
|
||||
;; the SOA record in the authority section of the response, if there
|
||||
;; is one.
|
||||
;;
|
||||
;; 3. ``The query name has one or more records answering the query.''
|
||||
;; This applies if the answer section of the response contains one or
|
||||
;; more records under the query name matching the query type, and #1
|
||||
;; doesn't apply, and #2 doesn't apply.
|
||||
;;
|
||||
;; 4. ``The query was not answered because the server does not have
|
||||
;; the answer. I need to contact other servers.'' This applies if the
|
||||
;; authority section of the response contains NS records, and the
|
||||
;; authority section of the response does not contain SOA records, and
|
||||
;; #1 doesn't apply, and #2 doesn't apply, and #3 doesn't apply. The
|
||||
;; ``other servers'' are named in the NS records in the authority
|
||||
;; section.
|
||||
;;
|
||||
;; 5. ``The query name has no records answering the query, but it may
|
||||
;; have records of another type.'' This applies if #1 doesn't apply,
|
||||
;; and #2 doesn't apply, and #3 doesn't apply, and #4 doesn't
|
||||
;; apply. The amount of time that this information can be cached
|
||||
;; depends on the contents of the SOA record in the authority section,
|
||||
;; if there is one.
|
||||
;;
|
||||
;; This procedure requires an incredible amount of bug-prone parsing
|
||||
;; for a very small amount of information. The underlying problem is
|
||||
;; that DNS was designed to declare information in a human-oriented
|
||||
;; format, rather than to support crucial operations in the simplest
|
||||
;; possible way.
|
||||
;; </blockquote>
|
||||
|
||||
(define first-timeout 3) ;; seconds
|
||||
|
||||
;; seconds -> Maybe<seconds>
|
||||
|
|
|
|||
59
proxy.rkt
59
proxy.rkt
|
|
@ -23,65 +23,6 @@
|
|||
;; searches from. Performs recursive queries. Doesn't yet cache
|
||||
;; responses, but will do so in future.
|
||||
|
||||
;; Rules:
|
||||
|
||||
;; - Finds the leafmost NS record it can find in its rootset for the
|
||||
;; requested name.
|
||||
;; - Queries that service. If the answer is a referral, follows the
|
||||
;; chain. Remembers which servers it has seen before to avoid
|
||||
;; loops.
|
||||
;; - If it resolves CNAMEs on the way (should it?), remembers which
|
||||
;; names it has been resolving in response to any given query, to
|
||||
;; avoid loops. Perhaps limit the length of the chain to avoid DoS.
|
||||
;; - Only performs recursive service if so requested! (TODO)
|
||||
;; - Never put CNAME records anywhere in an answer section other than
|
||||
;; at the top (TODO; also check the server)
|
||||
;;
|
||||
;; - See RFC 1035 section 7.1.
|
||||
|
||||
;; DJB's rules for handling DNS responses:
|
||||
|
||||
;; When a cache receives a normal DNS response, it learns exactly one
|
||||
;; of the following five pieces of information:
|
||||
;;
|
||||
;; 1. ``The query was not answered because the query name is an
|
||||
;; alias. I need to change the query name and try again.'' This
|
||||
;; applies if the answer section of the response contains a CNAME
|
||||
;; record for the query name and CNAME does not match the query type.
|
||||
;;
|
||||
;; 2. ``The query name has no records answering the query, and is also
|
||||
;; guaranteed to have no records of any other type.'' This applies if
|
||||
;; the response code is NXDOMAIN and #1 doesn't apply. The amount of
|
||||
;; time that this information can be cached depends on the contents of
|
||||
;; the SOA record in the authority section of the response, if there
|
||||
;; is one.
|
||||
;;
|
||||
;; 3. ``The query name has one or more records answering the query.''
|
||||
;; This applies if the answer section of the response contains one or
|
||||
;; more records under the query name matching the query type, and #1
|
||||
;; doesn't apply, and #2 doesn't apply.
|
||||
;;
|
||||
;; 4. ``The query was not answered because the server does not have
|
||||
;; the answer. I need to contact other servers.'' This applies if the
|
||||
;; authority section of the response contains NS records, and the
|
||||
;; authority section of the response does not contain SOA records, and
|
||||
;; #1 doesn't apply, and #2 doesn't apply, and #3 doesn't apply. The
|
||||
;; ``other servers'' are named in the NS records in the authority
|
||||
;; section.
|
||||
;;
|
||||
;; 5. ``The query name has no records answering the query, but it may
|
||||
;; have records of another type.'' This applies if #1 doesn't apply,
|
||||
;; and #2 doesn't apply, and #3 doesn't apply, and #4 doesn't
|
||||
;; apply. The amount of time that this information can be cached
|
||||
;; depends on the contents of the SOA record in the authority section,
|
||||
;; if there is one.
|
||||
;;
|
||||
;; This procedure requires an incredible amount of bug-prone parsing
|
||||
;; for a very small amount of information. The underlying problem is
|
||||
;; that DNS was designed to declare information in a human-oriented
|
||||
;; format, rather than to support crucial operations in the simplest
|
||||
;; possible way.
|
||||
|
||||
;; An Address can be an (address String Uint16) or #f, where an
|
||||
;; address struct represents nonlocal UDP sockets, and #f represents
|
||||
;; the local socket. This way, we don't need to know the IP or port of
|
||||
|
|
|
|||
|
|
@ -13,6 +13,34 @@
|
|||
(import network-query^)
|
||||
(export resolver^)
|
||||
|
||||
;; Rules:
|
||||
;;
|
||||
;; - If the DB already has an answer, return it.
|
||||
;;
|
||||
;; - Otherwise, find the leafmost NS record in the DB for the
|
||||
;; requested name.
|
||||
;;
|
||||
;; - Query that service. Augment the DB with the answers received, if
|
||||
;; any. Loop back to the beginning, remembering that we've tried
|
||||
;; the specific service we just interacted with so we don't try it
|
||||
;; again.
|
||||
;;
|
||||
;; - Eventually, the DB will have either been augmented with an
|
||||
;; answer, or we will have run out of untried nameservers to ask.
|
||||
;;
|
||||
;; - Authoritative NXDOMAINs ('name-error) mean we get to stop
|
||||
;; looking.
|
||||
;;
|
||||
;; - Resolve CNAMEs on the way. Remember which names we've been
|
||||
;; resolving in response to any given query, to avoid
|
||||
;; loops. Perhaps limit the length of the chain to avoid
|
||||
;; DoS. (TODO)
|
||||
;;
|
||||
;; - Only performs recursive service if so requested.
|
||||
;;
|
||||
;; - See RFC 1035 section 7.1.
|
||||
|
||||
;; Question CompiledZone -> Boolean
|
||||
(define (answer-available? q zone)
|
||||
(hash-has-key? zone (question-name q)))
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue