ENH: cymru expert: prevent extra lookups, handle invalid asnames

[monoidic]

This PR fixes #2132 by ignoring AS names with invalid characters, as suggested by Sebastian.
It also ensures that Cymru DNS queries that return NXDOMAIN do not cause any extraneous queries due to search domains.

(TODO: changelog, add unit test with invalid characters)

[sebix]

(TODO: changelog, add unit test with invalid characters)

Yes, a unit test for one of these special cases would be very good. For example the AS266522, which you mentioned in the issue

The fix looks good on first glance.

[monoidic]

Right. Well. Having the IP in the test event seemed to mess with things.

[kamil-certat]

If it's possible, it would be nice to provide a test for this change as well

[sebix]

The tests cover IP and ASN lookups.

[monoidic]

It technically doesn't cover the search domain part.

[kamil-certat]

This is what I meant :)

[sebix]

is this the "Avoid extraneous search domain-based queries on NXDOMAIN result"?

[monoidic]

That's the added periods in IP_QUERY and ASN_QUERY, actually.
Example: if you have a search domain of "lan" and resolving homeserver fails with NXDOMAIN, then the search domain will cause homeserver.lan. to be queried.
However, if, for instance, 1.2.3.4.origin4.cymru.com returns NXDOMAIN, then 1.2.3.4.origin4.cymru.com.lan. would be queried.
But, the added period at the end signifies that this is a fully qualified domain name and such queries should not be made.

[monoidic]

The test explicitly sets the search domain to cert.ee., which causes the test to fail if attempts are made to parse the TXT response because the responses for all subdomains of cert.ee. return an SPF record in response to TXT queries.

It is not a perfect solution (it relies on the cert.ee. domain, and the result for the IP in the test being NXDOMAIN, and the parser raising an exception on TXT records with invalid formatting instead of gracefully handling it somehow).

However, I'm wondering, is there any legitimate use case for intelmq.lib.utils.dns.resolve_dns to force the use of search domains in the first place? What about updating the minimum dnspython version to 2.x and removing search=True altogether?

[sebix]

However, I'm wondering, is there any legitimate use case for intelmq.lib.utils.dns.resolve_dns to force the use of search domains in the first place? What about updating the minimum dnspython version to 2.x and removing search=True altogether?

yes, I think we can safely require dnspython >= 2.0 now.

I don't have any reason at hand why search is on. If the tests succeed with search disabled, let's go for it :)

[sebix]

@monoidic Is this PR ready to merge or do you want to change the DNS-related parts?

[monoidic]

I'd been busy with other projects and forgout about this.
The latest commit should have everything necessary to deprecate dnspython <2.0.0 and remove two tests which are now outdated.
If the changes are acceptable, then I will add changelog entries as well.

[sebix]

If the changes are acceptable, then I will add changelog entries as well.

Yes, please document the changed minimum required version of dnspython, this has impact on the supported OSs (dropping out Ubuntu 20.04, which need to be removed from the docs, from intelmq-vagrant and at the next release from the packages).

[sebix]

With that change the function is obsolete now. But that's something for a major version as it is a change in the interface.

[kamil-certat]

Could you leave a ticket to remove it?

[sebix]

Added to #1444

[kamil-certat]

Looks good. What I'm not happy about is that we rely on the real answers in tests instead of some mocking solution (and DNS is relatively unstable), but it's a general problem, nothing related to the change :)

[kamil-certat]

Could you leave a ticket to remove it?