a DNS query, type SVCB, like this:
dig @94.140.15.15 _dns.resolver.arpa svcb +short
returns:
1 dns.adguard-dns.com. alpn=“h3,h2,http/1.1” port=443 ipv4hint=94.140.14.14,94.140.15.15 ipv6hint=2a10:50c0::ad1:ff,2a10:50c0::ad2:ff key7=“/dns-query{?dns}”
2 dns.adguard-dns.com. alpn=“dot” port=853 ipv4hint=94.140.14.14,94.140.15.15 ipv6hint=2a10:50c0::ad1:ff,2a10:50c0::ad2:ff
3 dns.adguard-dns.com. alpn=“doq” port=853 ipv4hint=94.140.14.14,94.140.15.15 ipv6hint=2a10:50c0::ad1:ff,2a10:50c0::ad2:ff
how do I add a record like this to my NSD config?
thanks for your time and effort.
Hi Peter,
SVCB records, or any other kind of record, should be added to your zone
file. https://nsd.docs.nlnetlabs.nl/en/latest/zonefile.html should give
you a decent example of how such a file should look. As for how to add
SVCB records, the svcb test can probably shed some light:
https://github.com/NLnetLabs/nsd/blob/master/tpkg/svcb.tdir/svcb.success-cases.zone.
Hope that helps.
- Jeroen
@ jeroen
thanks for your pointers, managed to create valid entries (quotes matter, nsd-checkzone doesn’t warn, dig result than says: ;; Got bad packet: extra input data)
testzone, dummy IPs:
doh IN A 192.169.254.4
doh IN AAAA 2a02:1810:4d27:290f::aa01
;## HTTPS
httpsipv4 IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv4hint=“192.169.254.4”
httpsipv6 IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv6hint=“2a02:1810:4d27:290f::aa01”
httpsip IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv4hint=“192.169.254.4” ipv6hint=“2a02:1810:4d27:290f::aa01”
;## SVCB
svcbipv4 IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv4hint=“192.169.254.4”
svcbipv6 IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv6hint=“2a02:1810:4d27:290f::aa01”
svcbip IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath=“/dns-query{?dns}” port=443 ipv4hint=“192.169.254.4” ipv6hint=“2a02:1810:4d27:290f::aa01”
I don’t get it yet, It looks like you can do the same, using HTTPS and SVCB records. What is the difference, since the query replies provide identical information?
Thanks for your time and effort
Hi Peter,
The format for SVCB and HTTPS RRs is the same, but the HTTPS rrtype is
reserved for use with the http and https URI schemes and implies some
values. I only worried about parsing it successfully for now, so I
don't know all the details, but
should answer that question in more detail(?)
nsd-checkzone mostly checks if it can successfully parse the record, so
mostly syntax, but it does check some semantics. The SVCB zone format
is a little weird because it introduces some syntax changes. There has
been some discussion on the syntax, but yes, quotes matter.
From the top of my head, you're allowed to specify either key=value or
key="value", but not key<space+>=<space+>"value". Depending on the
value, you need to quote it. Presumably, there's also some weirdness
around double escaping wrt alpn values and comma's, but the details
escape me.
- Jeroen