From 0c0e9203563e3483765311194dddb8cb415d29f6 Mon Sep 17 00:00:00 2001 From: Tony Garnock-Jones Date: Fri, 30 Dec 2011 14:50:10 -0500 Subject: [PATCH] Redistribute rules and comments to appropriate locations. --- network-query-unit.rkt | 48 ++++++++++++++++++++++++++++++++++ proxy.rkt | 59 ------------------------------------------ resolver-unit.rkt | 28 ++++++++++++++++++++ 3 files changed, 76 insertions(+), 59 deletions(-) diff --git a/network-query-unit.rkt b/network-query-unit.rkt index 656e5e3..503b964 100644 --- a/network-query-unit.rkt +++ b/network-query-unit.rkt @@ -12,6 +12,54 @@ (import udp-operations^) (export network-query^) +;; DJB's rules for handling DNS responses. Some of these are handled +;; here (specifically, rules 2 through 5, in the action of +;; incorporate-dns-reply), some are handled in resolver-unit.rkt (rule +;; 1, in the action of answer-from-zone): + +;;
+;; When a cache receives a normal DNS response, it learns exactly one +;; of the following five pieces of information: +;; +;; 1. ``The query was not answered because the query name is an +;; alias. I need to change the query name and try again.'' This +;; applies if the answer section of the response contains a CNAME +;; record for the query name and CNAME does not match the query type. +;; +;; 2. ``The query name has no records answering the query, and is also +;; guaranteed to have no records of any other type.'' This applies if +;; the response code is NXDOMAIN and #1 doesn't apply. The amount of +;; time that this information can be cached depends on the contents of +;; the SOA record in the authority section of the response, if there +;; is one. +;; +;; 3. ``The query name has one or more records answering the query.'' +;; This applies if the answer section of the response contains one or +;; more records under the query name matching the query type, and #1 +;; doesn't apply, and #2 doesn't apply. +;; +;; 4. ``The query was not answered because the server does not have +;; the answer. I need to contact other servers.'' This applies if the +;; authority section of the response contains NS records, and the +;; authority section of the response does not contain SOA records, and +;; #1 doesn't apply, and #2 doesn't apply, and #3 doesn't apply. The +;; ``other servers'' are named in the NS records in the authority +;; section. +;; +;; 5. ``The query name has no records answering the query, but it may +;; have records of another type.'' This applies if #1 doesn't apply, +;; and #2 doesn't apply, and #3 doesn't apply, and #4 doesn't +;; apply. The amount of time that this information can be cached +;; depends on the contents of the SOA record in the authority section, +;; if there is one. +;; +;; This procedure requires an incredible amount of bug-prone parsing +;; for a very small amount of information. The underlying problem is +;; that DNS was designed to declare information in a human-oriented +;; format, rather than to support crucial operations in the simplest +;; possible way. +;;
+ (define first-timeout 3) ;; seconds ;; seconds -> Maybe diff --git a/proxy.rkt b/proxy.rkt index 197aede..1903fe9 100644 --- a/proxy.rkt +++ b/proxy.rkt @@ -23,65 +23,6 @@ ;; searches from. Performs recursive queries. Doesn't yet cache ;; responses, but will do so in future. -;; Rules: - -;; - Finds the leafmost NS record it can find in its rootset for the -;; requested name. -;; - Queries that service. If the answer is a referral, follows the -;; chain. Remembers which servers it has seen before to avoid -;; loops. -;; - If it resolves CNAMEs on the way (should it?), remembers which -;; names it has been resolving in response to any given query, to -;; avoid loops. Perhaps limit the length of the chain to avoid DoS. -;; - Only performs recursive service if so requested! (TODO) -;; - Never put CNAME records anywhere in an answer section other than -;; at the top (TODO; also check the server) -;; -;; - See RFC 1035 section 7.1. - -;; DJB's rules for handling DNS responses: - -;; When a cache receives a normal DNS response, it learns exactly one -;; of the following five pieces of information: -;; -;; 1. ``The query was not answered because the query name is an -;; alias. I need to change the query name and try again.'' This -;; applies if the answer section of the response contains a CNAME -;; record for the query name and CNAME does not match the query type. -;; -;; 2. ``The query name has no records answering the query, and is also -;; guaranteed to have no records of any other type.'' This applies if -;; the response code is NXDOMAIN and #1 doesn't apply. The amount of -;; time that this information can be cached depends on the contents of -;; the SOA record in the authority section of the response, if there -;; is one. -;; -;; 3. ``The query name has one or more records answering the query.'' -;; This applies if the answer section of the response contains one or -;; more records under the query name matching the query type, and #1 -;; doesn't apply, and #2 doesn't apply. -;; -;; 4. ``The query was not answered because the server does not have -;; the answer. I need to contact other servers.'' This applies if the -;; authority section of the response contains NS records, and the -;; authority section of the response does not contain SOA records, and -;; #1 doesn't apply, and #2 doesn't apply, and #3 doesn't apply. The -;; ``other servers'' are named in the NS records in the authority -;; section. -;; -;; 5. ``The query name has no records answering the query, but it may -;; have records of another type.'' This applies if #1 doesn't apply, -;; and #2 doesn't apply, and #3 doesn't apply, and #4 doesn't -;; apply. The amount of time that this information can be cached -;; depends on the contents of the SOA record in the authority section, -;; if there is one. -;; -;; This procedure requires an incredible amount of bug-prone parsing -;; for a very small amount of information. The underlying problem is -;; that DNS was designed to declare information in a human-oriented -;; format, rather than to support crucial operations in the simplest -;; possible way. - ;; An Address can be an (address String Uint16) or #f, where an ;; address struct represents nonlocal UDP sockets, and #f represents ;; the local socket. This way, we don't need to know the IP or port of diff --git a/resolver-unit.rkt b/resolver-unit.rkt index ddd42c2..d8eb619 100644 --- a/resolver-unit.rkt +++ b/resolver-unit.rkt @@ -13,6 +13,34 @@ (import network-query^) (export resolver^) +;; Rules: +;; +;; - If the DB already has an answer, return it. +;; +;; - Otherwise, find the leafmost NS record in the DB for the +;; requested name. +;; +;; - Query that service. Augment the DB with the answers received, if +;; any. Loop back to the beginning, remembering that we've tried +;; the specific service we just interacted with so we don't try it +;; again. +;; +;; - Eventually, the DB will have either been augmented with an +;; answer, or we will have run out of untried nameservers to ask. +;; +;; - Authoritative NXDOMAINs ('name-error) mean we get to stop +;; looking. +;; +;; - Resolve CNAMEs on the way. Remember which names we've been +;; resolving in response to any given query, to avoid +;; loops. Perhaps limit the length of the chain to avoid +;; DoS. (TODO) +;; +;; - Only performs recursive service if so requested. +;; +;; - See RFC 1035 section 7.1. + +;; Question CompiledZone -> Boolean (define (answer-available? q zone) (hash-has-key? zone (question-name q)))