[PR #2614] [MERGED] Don't send DAU/DHU options in responses #3176

New issue

Closed

opened 2026-03-16 11:29:32 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:29:32 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2614
Author: @divergentdave
Created: 11/23/2024
Status: ✅ Merged
Merged: 11/26/2024
Merged by: @djc

Base: main ← Head: david/dau-dhu-in-response

📝 Commits (3)

3aec9d3 Add conformance test for DAU/DHU/N3U in responses
0bcb6b3 Remove incorrect TODO
6dfd198 Do not send DAU/DHU options in responses

📊 Changes

6 files changed (+65 additions, -5 deletions)

View changed files

📝 conformance/packages/conformance-tests/src/resolver/dnssec.rs (+1 -0)
➕ conformance/packages/conformance-tests/src/resolver/dnssec/rfc6975.rs (+1 -0)
➕ conformance/packages/conformance-tests/src/resolver/dnssec/rfc6975/section_4.rs (+52 -0)
📝 conformance/packages/dns-test/src/client.rs (+11 -0)
📝 crates/proto/src/xfer/dnssec_dns_handle/mod.rs (+0 -1)
📝 crates/server/src/authority/catalog.rs (+0 -4)

📄 Description

The DAU/DHU/N3U options from RFC 6975 are only intended to be sent by clients, not name servers. Different sections say that "Validating recursive resolvers MUST NOT set the DAU, DHU, and/or N3U option(s) in the final response to the stub client" and "Authoritative servers MUST NOT set the DAU, DHU, and/or N3U option(s) on any responses". This PR adds a conformance test checking the behavior of recursive resolvers, and stops adding the DAU and DHU options to responses in the Catalog.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2614 **Author:** [@divergentdave](https://github.com/divergentdave) **Created:** 11/23/2024 **Status:** ✅ Merged **Merged:** 11/26/2024 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `david/dau-dhu-in-response` --- ### 📝 Commits (3) - [`3aec9d3`](https://github.com/hickory-dns/hickory-dns/commit/3aec9d3433a5f2099a881cb2adab55a88618255e) Add conformance test for DAU/DHU/N3U in responses - [`0bcb6b3`](https://github.com/hickory-dns/hickory-dns/commit/0bcb6b3b0c541f1f3d0fe23c86c90412db0aae24) Remove incorrect TODO - [`6dfd198`](https://github.com/hickory-dns/hickory-dns/commit/6dfd1982eea8887c73e6695ffd4b6f897eaf11a3) Do not send DAU/DHU options in responses ### 📊 Changes **6 files changed** (+65 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/conformance-tests/src/resolver/dnssec.rs` (+1 -0) ➕ `conformance/packages/conformance-tests/src/resolver/dnssec/rfc6975.rs` (+1 -0) ➕ `conformance/packages/conformance-tests/src/resolver/dnssec/rfc6975/section_4.rs` (+52 -0) 📝 `conformance/packages/dns-test/src/client.rs` (+11 -0) 📝 `crates/proto/src/xfer/dnssec_dns_handle/mod.rs` (+0 -1) 📝 `crates/server/src/authority/catalog.rs` (+0 -4) </details> ### 📄 Description The DAU/DHU/N3U options from RFC 6975 are only intended to be sent by clients, not name servers. Different sections say that "Validating recursive resolvers MUST NOT set the DAU, DHU, and/or N3U option(s) in the final response to the stub client" and "Authoritative servers MUST NOT set the DAU, DHU, and/or N3U option(s) on any responses". This PR adds a conformance test checking the behavior of recursive resolvers, and stops adding the DAU and DHU options to responses in the `Catalog`. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>