Skip to content

Implement DNS HTTPS RR (RFC 9460) #2484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 15 commits into from
Closed

Implement DNS HTTPS RR (RFC 9460) #2484

wants to merge 15 commits into from

Conversation

drwetter
Copy link
Collaborator

@drwetter drwetter commented Mar 30, 2024
edited
Loading

What is your change about?

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Typo fix
  • Documentation update
  • Update of other files

If it's a code change please check the boxes which are applicable:

  • For the main program: My edits contain no tabs and the indentation is five spaces
  • I've read CONTRIBUTING.md and Coding_Convention.md
  • I have tested this fix against >=2 hosts and I couldn't spot a problem
  • [TODO] I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
  • [TODO] For the new feature I have made corresponding changes to the documentation and / or to help()
  • [TODO] If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

Open: when ASSUME_HTTP is set and no services was detected, this needs to be handled

drwetter added 2 commits March 27, 2024 17:30
@drwetter
Start working on DNS HTTPS RR (RFC 9460)
c93f06c 
- Initial commit, saving work
- Simple test: just copied get_caa_rrecord

Also renamed Just copied get_caa_rr_record to get_caa_rrecord to remove the
redundant r
@drwetter
First proper output for HTTPS RR
e6bdcee 
- moved function + output to the very top (still not the right place)
- raw_https now should contain the output in any case, binhex parse needs to be completed
- fixed bug that CAA records were queried when it was instructed to minimize/skip or use proxy only
@drwetter drwetter self-assigned this Mar 30, 2024
@drwetter drwetter marked this pull request as draft March 30, 2024 16:24
@drwetter drwetter mentioned this pull request Mar 30, 2024
Open
@drwetter drwetter changed the title Implement DNS HTTPS RR *(RFC 9460) Implement DNS HTTPS RR (RFC 9460) Sep 5, 2024
@drwetter
Intro section improvements, placement of DNS RR output
e26e665 
- intro section has now bold keys and plain values
- DNS RR is now below rDNS, if servive is HTTP

Open: when ASSUME_HTTP is set and no services was detected, this needs to be handled
@drwetter
Copy link
Collaborator Author

drwetter commented Sep 5, 2024

status

image

@drwetter
Copy link
Collaborator Author

drwetter commented Sep 7, 2024
edited
Loading

Note to self

  • Move the line to protocols but cache the entry so that for multiple IPs we don't query DNS again
  • fix testssl.sh template so that CI run passes (need to be changed again when we moved the output down)
  • address #fixme around line 2471. ( jsonID="service"\n case $SERVICE in
  • sometime the record is like \# 10 00010000010003026832 (dig @ Darwin) --> raw conversion see CAA records

@drwetter drwetter added the 3.3dev next dev label Jan 27, 2025
@drwetter
update to raw_https
08accf9 
But there's lot of work to do --> push to later
drwetter added a commit that referenced this pull request Jul 3, 2025
@drwetter
First try for QUIC (OpenSSL only)
49dcd5b 
This is an implementation for QUIC (RFC 9000, RFC 9114). It's purely
OpenSSL based for now. As some distros support newer (>= 3.2) versions
this works on some distros now and will work on more as time goes by.

It has been tested with MacOS and Linux. If there's an OpenSSL version
in /usr/bin/ it will automagically use that version.

A new short sub function named sub_quic() was introduced for handling this as
run_protocols() is already "full".

It appears below TLS 1.3. A check against HTTPS RR #2484 is planned but
not implemented yet. PR #2484 has to be worked on and merged before.

New variables were introduces (HAS_QUIC/ +HAS2_QUIC). Also there's
QUIC_WAIT as we run the connect in the background and we need a wait time.

HAS_UDS2 was renamed to HAS2_UDS as HAS2 should signal this is for OPENSSL2
and UDS2 doesn't make sense.

To clarify:
- check for a proxy and then don't do the check?
- short unit test (t/31_isJSON_valid.t cjecks cloudflare but ...)
@drwetter drwetter mentioned this pull request Jul 3, 2025
Merged
13 tasks
drwetter added 3 commits July 14, 2025 13:06
@drwetter
save work for HTTPS RR
593247b 
(this needs to be re-done)...

- add *_HTTPS globals to ensure we can make use of newer DNS binaries
- set them appropriately in check_resolver_bins()
- parser for those scenarios in get_https_rrecord() (to be tested)
- start working on the binary format ~ RFC 3597 as fallback
- lots of temporary comments to make it better understandable

Worked so far for testssl.net, dev.testssl.sh
@drwetter
Fix spelling
d17c17b
@drwetter
... now really ;-)
93458bb
drwetter added a commit that referenced this pull request Jul 29, 2025
@drwetter
Start working on DNS HTTPS RR (RFC 9460) for 3.3dev
dd24095 
This is a fresh start for #2484 as the PR wasn't ready yet for 3.2
by the time it was released.

The info for the HTTPS RR shows up in the very beginning, i.e. in the
service_detection(). All keys are listed now in bold, values in
a regular font.

`get_https_rrecord()` was introduced by copying and modifying `get_caa_rr_record()`.

There's a similar obstacle as with CAA RRs: older binaries show the
resource records binary encoded. Thus a new set of global vars is introduced
HAS_*_HTTPS which check whether the binaries support decoding the RR
directly.

For CAA there was a minor bug fixed when records were queried also when it was
instructed to minimize/skip or use proxy only.

Todo:
- Add logic in QUIC
  - if RR is detected and not QUIC is possible
  - add time for QUIC detection when RR is retrieved
- show full HTTPS RR record, at least when having a new DNS client
- shorten the comments in `get_https_rrecord()`
- Man page
- when ASSUME_HTTP is set and no services was detected: this needs to be handled
@drwetter drwetter mentioned this pull request Jul 29, 2025
Open
12 tasks
@drwetter
Copy link
Collaborator Author

Closing in favor of #2866

@drwetter drwetter closed this Jul 29, 2025
@drwetter drwetter deleted the https_rr branch July 29, 2025 12:08
@drwetter drwetter removed the 3.3dev next dev label Jul 29, 2025
@drwetter drwetter added the 3.2 stable label Jul 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@drwetter drwetter

Labels
3.2 stable
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@drwetter