[WIP] Fix #1378 - Switch to stub resolver, remove pyunbound #1578

mxsasha · 2024-12-03T11:05:06Z

Fun discoveries so far:

IPv6 NS connectivity check just checks if port 53 TCP is open. Not whether it's DNS, that's only checked when we fall back to UDP.
Precheck for mail says in the UI it looks for SOA, but it actually checks if any record exists at the label. It queries for SOA, but accepts NOANSWER.
It looks like we check MX dnssec by asking for the SOA? We don't check if the actual MX record is secure?
The DNSSEC test says: "If a domain redirects to another domain via CNAME, then we also check if the CNAME domain is signed (which is conformant with the DNSSEC standard). If the CNAME domain is not signed, the result of this subtest will be negative.". I have been unable to locate any code that does this. No guarantees, it is possible I overlooked it.

mxsasha added 3 commits December 3, 2024 20:20

switch most of rpki, mail, http_client to initial stub resolver wrapper

ffb4e46

finish mail migration

4e5a8e4

reuse resolver instance

f32fb88

mxsasha force-pushed the stub-resolver branch from 164f3b7 to f32fb88 Compare December 3, 2024 19:20

mxsasha added 25 commits December 3, 2024 19:25

lint

b05129b

fix argument mismatch

c56f747

try CI with permissive resolver

d4fa825

fixes

3579607

fix?

3d6b47e

mail fixes

2cd1972

lint

75b0b81

many things

0731f9e

f

6a60166

f

c396669

f

767fcb7

f

49b326e

f

0d9f0a5

f

8962011

f

a2dbfc0

lint

306ef8e

f

f5d3b5d

f

4e186cd

f

b791787

f

db1f140

m

b99d600

d

179bf51

NS

8ae0719

Remove SetupUnboundContext and superflous classes

ebf0382

Fix some leftovers for NS in ipv6.py

32cf698

Provide feedback