Thanks to visit codestin.com
Credit goes to github.com

Skip to content

rec: allow negation in outgoing.edns_subnet_allow_list #15811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

rec: allow negation in outgoing.edns_subnet_allow_list #15811

wants to merge 1 commit into from

Conversation

@bjacquin
Copy link
Contributor

@bjacquin bjacquin commented Jul 9, 2025

Casting input part to Netmask does not allow to insert negation in s_ednsremotesubnets list as ComboAddress would not allow, however if we directly use addMask from NetmaskGroup negation are handled properly. In case the input is not a valid netmask, catch() will still add the string as a domain.

Note that this does not allow names to be negated.

Short description

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master

@bjacquin
rec: allow negation in outgoing.edns_subnet_allow_list
8ad6600 
Casting input part to Netmask does not allow to insert negation in
s_ednsremotesubnets list as ComboAddress would not allow, however if we
directly use addMask from NetmaskGroup negation are handled properly. In
case the input is not a valid netmask, catch() will still add the string
as a domain.
@coveralls
Copy link

Pull Request Test Coverage Report for Build 16174256413

Details

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • 77 unchanged lines in 8 files lost coverage.
  • Overall coverage decreased (-0.03%) to 65.594%
Files with Coverage Reduction New Missed Lines %
pdns/recursordist/sortlist.cc 2 72.94%
pdns/rcpgenerator.cc 3 90.87%
pdns/recursordist/test-syncres_cc2.cc 3 88.85%
pdns/recursordist/test-syncres_cc1.cc 6 89.75%
pdns/recursordist/syncres.cc 9 80.16%
pdns/recursordist/taskqueue.cc 9 35.9%
pdns/dnsdistdist/dnsdist-tcp.cc 11 77.14%
pdns/recursordist/rec-taskqueue.cc 34 40.14%
Totals Coverage Status
Change from base Build 16167600148: -0.03%
Covered Lines: 126952
Relevant Lines: 164879
💛 - Coveralls

@omoerbeek omoerbeek added the rec label Jul 10, 2025
@omoerbeek
Copy link
Member

omoerbeek commented Jul 10, 2025
edited
Loading

I am not a big fan of this. IMO ECS is troublesome for various reasons: it kills cache performance, adds a layer of complexity in the Recursor, many auths do not handle it properly and it has privacy issues as well. ECS should not be used unless you have very good reasons to use it.

If you want to use ECS, targets should be added to the outgoing ECS list based on observed proper and desired ECS behavior in the answers. Adding negation suggests it is a good thing to use it for big subnets and only disallow outgoing ECS for a few targets.

@miodvallat
Copy link
Contributor

(approving on technical grounds, not wanting to overcome @omoerbeek's comments)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miodvallat miodvallat miodvallat approved these changes

Assignees

No one assigned

Labels

rec

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bjacquin @coveralls @omoerbeek @miodvallat