fix: populate ldns submodule and add autotools to LDNS build stage
- Re-cloned zonemaster-ldns with --recurse-submodules so the bundled ldns C library source (including Changelog and configure.ac) is present - Added autoconf, automake, libtool to Dockerfile.backend ldns-build stage so libtoolize + autoreconf can generate ldns/configure during make Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
128
zonemaster-ldns/ldns/lua/rns-specs
Normal file
128
zonemaster-ldns/ldns/lua/rns-specs
Normal file
@@ -0,0 +1,128 @@
|
||||
* Classes of Manglement
|
||||
|
||||
from higher to lower level:
|
||||
- deliberately mess up a resolver ability to recurse
|
||||
- move RRsets to different sections
|
||||
- fiddle with the ID
|
||||
- add/delete RRs
|
||||
- remove glue, add wrong glue
|
||||
- add fake signatures
|
||||
- split up RRsets
|
||||
== mess with the final packet ==
|
||||
- distort the compression pointers in the final packet
|
||||
- swap bytes in the final packet
|
||||
- swap bits in the final packet
|
||||
|
||||
Based on a simple ldns-based nameserver.
|
||||
|
||||
A configuration file is needed to tell it what to do. Some form
|
||||
of random stuff is also required.
|
||||
|
||||
Ideally what I want is that you "program" you nameserver to mangle
|
||||
the packets.
|
||||
|
||||
The mangle stage should be seen as a lego system, where you can connect
|
||||
different boxes together and push the assembled packet through it.
|
||||
|
||||
So RNS should be able to deal with raw packets, so you can put it
|
||||
IN FRONT of another nameserver or it can directly deal with a ldns_packet*.
|
||||
|
||||
Best way would be to build RNS is as a filter that can be put between the
|
||||
resolver and nameserver. Or, if running on localhost, all answers can be
|
||||
sent to a special IP of the resolver you want to test.
|
||||
|
||||
** Mangle Blocks
|
||||
|
||||
Each mangle function is effectively called from the configuration file.
|
||||
From the config file a mangle-engine is built. The packet is then put
|
||||
through this engine. After that a binary blob (with a length) comes
|
||||
out. This blob is then sent out to the network.
|
||||
|
||||
* Design of RNS
|
||||
|
||||
You program the engine in Lua by using ldns building blocks.
|
||||
|
||||
I must be able to call C ldns functions from lua and pass data
|
||||
from and to the functions.
|
||||
|
||||
:Binary filter:
|
||||
|
||||
Steps:
|
||||
1. suck in a packet
|
||||
b: check ip dst address
|
||||
2. mangle it according to the configuration file
|
||||
3. rebuilt and put out the new packet. (Or binary blob, or whatever)
|
||||
|
||||
* Implementation
|
||||
|
||||
A bunch of blob/packet functions-in/out.
|
||||
|
||||
So blob_out* lua_mangle_remove_rr(blob_in*, random, extra args??);
|
||||
|
||||
See are then chained together by the lua code.
|
||||
|
||||
:Packet Mangling:
|
||||
|
||||
These are the four basic operations:
|
||||
|
||||
Transpose: switching 2 elements
|
||||
Substitute: replace an element with another one
|
||||
(could be random)
|
||||
Add: add an element
|
||||
Remove: remove an element
|
||||
|
||||
Each operation can be done on a different level, we distinguish between the
|
||||
following levels:
|
||||
|
||||
packet-level: the header bits, number of rr in a specific section,
|
||||
rr-level: placement of rrs (which section)
|
||||
byte-level: handle specific bytes, like the compression pointers (2
|
||||
bytes)
|
||||
bit-level: handle specific bits
|
||||
|
||||
All 4 operation can be applied at all levels, this gives us 16 degrees of
|
||||
freedom in the packet mangling. (ghe ghe :-) )
|
||||
|
||||
To keep matters interesting some sort of randomness is required in some
|
||||
step, otherwise each packet is mangled in the same way. Also this
|
||||
randomness together with the Lua script needs to be logged so the
|
||||
actual mangling can be replayed.
|
||||
|
||||
:Packet Mangling: address the different elements:
|
||||
We need a way to address our elements:
|
||||
|
||||
elements: (network order)
|
||||
bytes: numbered from 0 till the end of the packet
|
||||
bits: within each byte numbered from 0 till 7
|
||||
sections: numbered from the start of the packet (mnemonics?)
|
||||
rr: numbered in each section
|
||||
|
||||
Ambivalent on whether we need something like addresses: section_answer?
|
||||
ldns_* provides it. Should we use that?????
|
||||
|
||||
::Packet Mangling Implementation::
|
||||
Example:
|
||||
|
||||
Suppose we have a mangling operation that mangles RR (at the rr-level):
|
||||
transpose_rr(packet, rr1_position, rr2_position)
|
||||
|
||||
The 2 rr's are now flipped. We could also use rand0 for the position
|
||||
thereby letting the system decide. All these mangling functions should
|
||||
this log what they do.
|
||||
|
||||
:: Short Term Implementation ::
|
||||
|
||||
Try to switch 2 rrs from one section to another. Complex addressing of
|
||||
a packet <Section, RR number> probably.... Section can be random, RR number
|
||||
can be random.
|
||||
|
||||
|
||||
:: Addressing ::
|
||||
everything is numbered from 0 to n-1, so n objects
|
||||
this is how things go in side the packet too, so it is the easiest
|
||||
|
||||
:: Lua Implementation ::
|
||||
RR level -> ldns stuff
|
||||
Packet level -> ldns stuff
|
||||
Byte level -> Lua string
|
||||
Bit level -> Lua string, but add C bit ops
|
||||
Reference in New Issue
Block a user