Add support for CAA resource record type #158
Conversation
more than 1 RR, just adjust the TTL of all the RRs in the RRset.
msimerson
left a comment
There was a problem hiding this comment.
I am happy to see this PR. :-)
| my @match_one = ("mailto:", "http:", "https:"); | ||
| my $match = 0; | ||
| foreach (@match_one) { | ||
| if ($value =~ /$_/i) { |
There was a problem hiding this comment.
It's a good habit to anchor regexes when possible. Adding a ^ to anchor to the string start would do.
| if ($value =~ /$_/i) { | ||
| $match = 1; | ||
| } | ||
| } |
There was a problem hiding this comment.
It looks like this entire foreach clause could be replaced with an anchored grep for invalid syntax:
if (grep { $value !~ /^$_/i } @match_one) {There was a problem hiding this comment.
Although, I'd also change the name of @match_one to @valid_iodef_schemes, or something like that.
server/t/12_records.t
Outdated
| { name => 'www', address => '2607:f729:0000:0000:0000:0000:0000:0001', type => 'AAAA', }, | ||
| { name => 'test.com.', weight => '0', priority => "issue", address => "ca.example.com", type => 'CAA', ttl=>3600 }, | ||
| { name => 'test.com.', weight => '128', priority => "iodef", address => "mailto:security@test.com", type => 'CAA', ttl=>3600 }, | ||
| { name => 'test.com.', weight => '0', priority => "iodef", address => "https://ca-report.test.com/", ttl=>3600 }, |
There was a problem hiding this comment.
missing type on this one is causing one of your test failures.
|
There! |
|
Fixes #156 |
|
Looks great! Have you tested the client portions in the client UI with a browser to assure they do what you expect? If so, this looks ready to merge. |
|
Nope, my colleague is working on setting up a local test rig, and I'll point him to this change set so that it can be properly tested. So, if you will, you can hold off till that's done as well. |
TODO
|
|
It's getting there, but I could not get any of the checks in _valid_caa() to fire (and give visible feedback in the web UI) when I edit or create RRs through the web UI that would violate the checks in that function in NicToolServer/Zone/Record/Sanity.pm. Any hints? |
My first guess: you didn't 'make install && apachectl restart', to get your modified version installed and running. |
|
Your hunch was correct, there was an inconsistency between what had been installed and what the source tree contained. That's now fixed, and the checks in Record/Sanity.pm fire correctly and give feedback via the GUI when you violate the rules encoded there. I've also made a small adjustment to the tinydns export code, so that what's exported better matches what's in the RFC. However, I've not tried to feed the generated data to tinydns itself. The example Any chance you could test that tinydns "eats" this correctly? |
|
tinydns-data compiles the records all right, and tinydns serves them (in some fashion), but something isn't right: $ dig +short foo @66.128.51.172 CAA
$ dig +short ca.foo @66.128.51.172 CAA
$ dig +short catest.foo @66.128.51.172 CAA
$ dig +short ca.foo @66.128.51.172
$ dig +short caatest.foo @66.128.51.172Likely because my version of dig (9.8.3) is too old to support CAA records (yup, CAA support added in 9.9.6). Again with more modern tools: $ drill foo @66.128.51.172 CAA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6546
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; foo. IN CAA
;; ANSWER SECTION:
foo. 86400 IN CAA 0 issue "some-example-ca-issuer.com"That's more like it. :-) |
Changes proposed in this pull request:
Tests will be added in a later commit, so hold off with merging of
this branch for now.
I'll note that the tinydns export of the CAA record is .. sketchy, and
needs further testing.