Re: EDNS0 Client-Subnet

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Looks like I may have found another bug in the EDNS0 handling. The 
payload size for the OPTRecord is not in network byte order. From what I 
can see it calls super() from within the OPTRecord constructor and that 
in turn assigns the payload size to the DClass field of Record. That 
whole thing makes no sense to me. Any suggestions?

Thanks,

Deven

On 03/24/2011 09:57 AM, Deven Phillips wrote:
> Nevermind, I found it again.
>
> Deven
>
> On 03/24/2011 09:54 AM, Deven Phillips wrote:
>> Brian,
>>
>>     I had to leave this code for a few days to take care of other 
>> things and now I cannot find where that checkU8() call was. Could you 
>> give me a clue?
>>
>> Thanks,
>>
>> Deven
>>
>> On 03/22/2011 01:29 PM, Brian Wellington wrote:
>>> On Mar 22, 2011, at 10:11 AM, Deven Phillips wrote:
>>>
>>>> I have been tracing through the code and the whole thing falls apart
>>>> with the TSIG verification. Because I am not trying to sign my
>>>> requests/responses the TSIG is null and returns Rcode.FORMERR. Is 
>>>> there
>>>> a simple way to get around this?
>>>>
>>>>
>>>> On 03/22/2011 09:58 AM, Deven Phillips wrote:
>>>>> Hello All,
>>>>>
>>>>>     New to the list and this may have been answered previously, but I
>>>>> didn't find it searching the archives.
>>>>>
>>>>> Our company is implementing
>>>>> http://tools.ietf.org/html/draft-vandergaast-edns-client-ip-01
>>>>>
>>>>> I am trying to add functionality to one of our Java debugging 
>>>>> tools to
>>>>> test this functionality, so I have set up a SimpleResolver and used
>>>>> the setEDNS() method. When I create the Option instance for the
>>>>> OPTRecord, I do it as follows:
>>>>>
>>>>> InetAddress address = null ;
>>>>> try {
>>>>>     address = InetAddress.getByName(sourceField.getText()) ;
>>>>>     int sourceMask = 32 ;
>>>>>     int scopeMask = 0 ;
>>>>>     byte[] family = new byte[2] ;
>>>>>     family[0] = 0x0 ;
>>>>>     family[1] = 0x1 ;
>>>>>     if (Inet4Address.class.isInstance(address)) {
>>>>>         family[1] = 0x1 ;
>>>>>     } else {
>>>>>         family[1] = 0x2 ;
>>>>>     }
>>>>>     ByteArrayOutputStream baos = new ByteArrayOutputStream() ;
>>>>>     baos.write(family) ;
>>>>>     baos.write(sourceMask) ;
>>>>>     baos.write(scopeMask) ;
>>>>>     baos.write(address.getAddress()) ;
>>>>>     System.out.println(new String(baos.toByteArray())) ;
>>>>>     Option clientSubnet = new Option(0x50fa, baos.toByteArray()) ;
>>>>>     ArrayList<Option>  options = new ArrayList<Option>() ;
>>>>>     options.add(clientSubnet) ;
>>>>>     resolver.setEDNS(0, baos.size(), 0, options);
>>>>> } catch (UnknownHostException uhe) {
>>>>>     System.out.println("Source address is set, but is not a valid
>>>>> hostname/IP.") ;
>>>>> }
>>>>>
>>>>> The problem is that when I attempt to perform the lookup, I get an 
>>>>> error:
>>>>>
>>>>> FORMERR
>>>>>
>>>>> As far as I can tell, the byte[] format is identical to the format
>>>>> specified in the RFC (not that DNSJava is checking) and certainly
>>>>> complies with the OPTRecord requirements. Any suggestions?
>>>>>
>>>>> Worst case scenario, I could just manually send my own message, but I
>>>>> hate to re-invent the wheel.
>>> There does appear to be a problem, but I have no idea what you're 
>>> seeing.  In attempting to run code using this code, I did find a 
>>> problem that the code constructing EDNS options (incorrectly) 
>>> expects the option code to be an 8-bit value, not a 16-bit value.  
>>> Thus, attempting to run your code failed with:
>>>
>>> Exception in thread "main" java.lang.IllegalArgumentException: 
>>> "option code" 20730 must be an unsigned 8 bit value
>>>
>>> After fixing that, I was able to send a query with the option, and 
>>> get back a response with the option.  No idea if the value is 
>>> correct, but nothing returned FORMERR.
>>>
>>> Unless you also fixed the size issue, there's no way that your code 
>>> should have been able to construct the option at all, let alone send 
>>> a packet containing it.  I also don't understand why you're talking 
>>> about TSIG; the first thing the TSIG verification code does is check 
>>> to see whether there should be a TSIG at all, and if not, return 
>>> success immediately.
>>>
>>> Brian
>>>
>>
>