From patchwork Tue Sep 12 10:46:47 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "plaisthos (Code Review)" <gerrit@openvpn.net>
X-Patchwork-Id: 3344
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:390:b0:d7:3b0f:3938 with SMTP id 16csp317542dyq;
        Tue, 12 Sep 2023 03:47:57 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IE3wir90Js4gKw1PZxuRZmzskpYFTICqvwcwLdds28g1r28VSIs/KgYfRb81f4vPiXwn1Xc
X-Received: by 2002:a05:6602:499b:b0:792:6dd8:a65f with SMTP id
 eg27-20020a056602499b00b007926dd8a65fmr13985176iob.0.1694515676852;
        Tue, 12 Sep 2023 03:47:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694515676; cv=none;
        d=google.com; s=arc-20160816;
        b=KyBdznnjowc1nk1T7yf8ZDm/uf4D0wto6IFOTSv3sDIJTxR0Mu5WWtyKMD7GJsjyoC
         7r+MW0CzEB7Q7PoTlFmOpx7rwOZC6mrKbB/w3tQ+YSTqhY8UDWeUnjOJkpGBVqOc0WkL
         uY6Vp+AQPLWQVMiH6kejW5U+DbB6IoISREY80Ya5oqJzVgBR6MfhHs5xUqY8yajhb4Oo
         0u9PL+1wQiTB3pPBZSR44iTrXhU534Pqs0+Oi2V59ZPDKdQMAQYn2aRDC2x5eS0551+t
         mWAvnpQcR7MUDdEzVAEyM6QKGRX0l4GcWH3Gti9nEPz+/YLpibV0wdXHv/QB049KrUzt
         z/zQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
         :mime-version:message-id:references:auto-submitted:date:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=hzavD1GInAoyZ2SjW/XefoogJbNYwQk00ccC9AC06mU=;
        fh=bN1KrMFM30R6KjIYOgW17mFPlfEh+E3W3qDsp7E904k=;
        b=iA9zWaFzIg9VTY/HQavvxISO9r70dAUQ/oj/nbtvndR3a/4Cv4LOdWuzWx8jnXxt8r
         buccVR8pjAP/IqUPpvYWjDV/qAmeFbz6r27baIYPgg4/MhOaym1upz8QXjjb95Xw4KgR
         V1nVT6IrQ7hAMOK/yeR+NkvvQp5ItmYf1pK/o0Aq7ZwUTaRpJryx+W1g3sQTtnsP1Vak
         MCYa2FNPbgQyOgJ5F8SnadTKs/mtFSzdKWyA3rrALhCIRhTJS3hlj2nWi+Cvu09Nuf/h
         bHErKFQC8XEdpqFAxMvJlWGOOHsB4lY7qKn49XE3SDkrkWMr+o3/9bC7fon7L0Fx8yPf
         mSuA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=hTaQ8GLF;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dgyiKnou;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=TjhFS1Jv;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 h64-20020a636c43000000b00565db8bec39si7844497pgc.173.2023.09.12.03.47.56
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 12 Sep 2023 03:47:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=hTaQ8GLF;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dgyiKnou;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=TjhFS1Jv;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qg0v8-0005hm-0i;
	Tue, 12 Sep 2023 10:47:03 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gerrit@openvpn.net>) id 1qg0v7-0005hg-33
 for openvpn-devel@lists.sourceforge.net;
 Tue, 12 Sep 2023 10:47:02 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
 :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:Date:From
 :Sender:To:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=0RW5lBpt228dVGV+6FtDROzPbHP4amXPsnQ7h6umRjk=; b=hTaQ8GLFiNP3Eqna4ycJyrsPJp
 eJ+Zy1H+JIOiE2r5EYC5jp/pxFRvJS+TYwRuLTHD9t5wQtWh9SD9uUjiDD2fLFOCqSO2Z2r7f7M5g
 idcBAYdzAavroqdFFFIfepi2JTggcLpc3i9DC7pSa6Wy58yhl2hi/ULIJEbQfiuJTzqA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
 References:Subject:List-Unsubscribe:List-Id:Cc:Date:From:Sender:To:Content-ID
 :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
 Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=0RW5lBpt228dVGV+6FtDROzPbHP4amXPsnQ7h6umRjk=; b=d
 gyiKnouX/Wvj6mleiddzpbIzEtfqYKE2GChIFMj1gp3yfjBTXvIq4wB5LX9yi8OxU0ShmQxbw7yuq
 WTAQUwYpoLHF2hEQTIvbLf+f+ERccRsZhmdvG7kNU7/C7tsbX7u1Sd1MytiblxebrHx6KNLEYfFZi
 8bwPXonUwIFMM0Fw=;
Received: from mail-wm1-f48.google.com ([209.85.128.48])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1qg0v1-001XxS-Sq for openvpn-devel@lists.sourceforge.net;
 Tue, 12 Sep 2023 10:47:02 +0000
Received: by mail-wm1-f48.google.com with SMTP id
 5b1f17b1804b1-401bdff4cb4so58433935e9.3
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 12 Sep 2023 03:46:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=openvpn.net; s=google; t=1694515609; x=1695120409;
 darn=lists.sourceforge.net;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:date:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=0RW5lBpt228dVGV+6FtDROzPbHP4amXPsnQ7h6umRjk=;
 b=TjhFS1JvvLKn7nf6xhp7knQJB1CEEWV6tZzVjACRXmMdyP6adJ9F31XJatecoPCUlp
 WAaf0McJP/TaHA1o7JZbR2mrV0oSC78/fteqDJdL/AFgzHiKDhx6qRBadrfdconAkH2D
 5Rng0BQYaIXjCMoiKCmUrrW1j637coz1ujAJVPa+FEmFixUmr3oPCpIAKOF1MeUcSwoI
 dXHI44347hl8w6A2m5d37cyL2sN81uzC6wDSvw20zDx/pCh69KuUNmm2ETv2iYds0zsZ
 xICtK3N3tt5aVGMkjlzd+9ZLuLhlNpdk5+R/HAa3JB4V7uepvfN4Pj2WhWhkIElOn7Pg
 cCLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694515609; x=1695120409;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:date:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=0RW5lBpt228dVGV+6FtDROzPbHP4amXPsnQ7h6umRjk=;
 b=oqoPCmX2w0SDyaiuLnuigzuHrbFVjhH5AdZODckg+brDilRa1tedTLHTFjcoezTkaP
 dBvQZjkW3DfL/O0qFtVGDZFluSy3MoWTqOCFVFBvv/d9PZjYsAlPCVqyt0R/Fzz29eGB
 CRtAo+2avft621xJItk7ZQBOzFWlOE9c/bnarJNK6RAkMfo9iyL+0bPgMlPCpcxGVxlB
 8kDZAkzy1r9iF8J9sB94T7mOLWOO3Q+KrUPZFE8S5c2tWdSHDrTbDAKnRgxSgTnQdUgF
 tJ3K4qIBRio1WYNRyV1T9bXGU2PfTnlywAgMDqMZOhb+Zd5ZPWCiL4nCSJzJ0eCDMEST
 ZwcQ==
X-Gm-Message-State: AOJu0YwuMgJeXPLPk7WTRl7DjL6uzZBGe9zVd0+IG9yIZg4m7ogKIPj3
 9Zm6kWl/WBNDMbumRYtPl7Uqqg==
X-Received: by 2002:a05:600c:301:b0:3fc:60:7dbf with SMTP id
 q1-20020a05600c030100b003fc00607dbfmr3171352wmd.41.1694515609169;
 Tue, 12 Sep 2023 03:46:49 -0700 (PDT)
Received: from gerrit.openvpn.in
 (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
 by smtp.gmail.com with ESMTPSA id
 n12-20020a05600c3b8c00b00402f713c56esm12715776wms.2.2023.09.12.03.46.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Sep 2023 03:46:48 -0700 (PDT)
From: "flichtenheld (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "flichtenheld (Code Review)"
 <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 6
Date: Tue, 12 Sep 2023 10:46:47 +0000
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
X-Gerrit-Change-Number: 39
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/39?usp=email>
X-Gerrit-Commit: ae4ab7aa359e0581e434798b148b7824bfad76ba
References: 
 <gerrit.1677684971000.I7f422add22f3f01e9f47985065782dd67bca46eb@gerrit.openvpn.net>
Message-ID: <9f260ea40477c10f6b9184163dcba573d7abdf34-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.0
X-Spam-Score: 1.0 (+)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Attention is currently required from: flichtenheld,
 plaisthos. d12fk has uploaded this change for review. (
 http://gerrit.openvpn.net/c/openvpn/+/39?usp=email
 ) Change subject: dns option: remove support for exclude-domains
 Content analysis details:   (1.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.128.48 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.128.48 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 1.2 MISSING_HEADERS        Missing To: header
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
 0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
 Colors in HTML
X-Headers-End: 1qg0v1-001XxS-Sq
Subject: [Openvpn-devel] [M] Change in openvpn[master]: dns option: remove
 support for exclude-domains
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, heiko@openvpn.net,
 openvpn-devel@lists.sourceforge.net
Cc: plaisthos <arne-openvpn@rfc2549.org>, d12fk <heiko@openvpn.net>,
 openvpn-devel <openvpn-devel@lists.sourceforge.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1776828470426296879?=
X-GMAIL-MSGID: =?utf-8?q?1776828470426296879?=

Attention is currently required from: flichtenheld, plaisthos.

d12fk has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/39?usp=email )


Change subject: dns option: remove support for exclude-domains
......................................................................

dns option: remove support for exclude-domains

No DNS resolver currently supports this and it is not possible to
emulate the behavior without the chance of errors. Finding the
effective default system DNS server(s) to specify the exclude
DNS routes is not trivial and cannot be verified to be correct
without resolver internal knowledge. So, it is better to not
support this instead of supporting it, but incorrectly.

Change-Id: I7f422add22f3f01e9f47985065782dd67bca46eb
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
---
M doc/man-sections/client-options.rst
M doc/man-sections/script-options.rst
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/options.c
5 files changed, 7 insertions(+), 45 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/39/39/6

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index fe9ffa6..4555534 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -169,7 +169,7 @@
 
      dns search-domains domain [domain ...]
      dns server n address addr[:port] [addr[:port] ...]
-     dns server n resolve-domains|exclude-domains domain [domain ...]
+     dns server n resolve-domains domain [domain ...]
      dns server n dnssec yes|optional|no
      dns server n transport DoH|DoT|plain
      dns server n sni server-name
@@ -191,14 +191,10 @@
   Optionally a port can be appended after a colon. IPv6 addresses need to
   be enclosed in brackets if a port is appended.
 
-  The ``resolve-domains`` and ``exclude-domains`` options take one or
-  more DNS domains which are explicitly resolved or explicitly not resolved
-  by a server. Only one of the options can be configured for a server.
-  ``resolve-domains`` is used to define a split-dns setup, where only
-  given domains are resolved by a server. ``exclude-domains`` is used to
-  define domains which will never be resolved by a server (e.g. domains
-  which can only be resolved locally). Systems which do not support fine
-  grained DNS domain configuration, will ignore these settings.
+  The ``resolve-domains`` option takes one or more DNS domains used to define
+  a split-dns or dns-routing setup, where only the given domains are resolved
+  by the server. Systems which do not support fine grained DNS domain
+  configuration, will ignore this setting.
 
   The ``dnssec`` option is used to configure validation of DNSSEC records.
   While the exact semantics may differ for resolvers on different systems,
diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
index d73231e..8c0be0c 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -663,7 +663,6 @@
        dns_server_{n}_address_{m}
        dns_server_{n}_port_{m}
        dns_server_{n}_resolve_domain_{m}
-       dns_server_{n}_exclude_domain_{m}
        dns_server_{n}_dnssec
        dns_server_{n}_transport
        dns_server_{n}_sni
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index b7808db..51fca2f 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -402,11 +402,9 @@
 
         if (s->domains)
         {
-            const char *format = s->domain_type == DNS_RESOLVE_DOMAINS ?
-                                 "dns_server_%d_resolve_domain_%d" : "dns_server_%d_exclude_domain_%d";
             for (j = 1, d = s->domains; d != NULL; j++, d = d->next)
             {
-                setenv_dns_option(es, format, i, j, d->name);
+                setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name);
             }
         }
 
@@ -484,14 +482,7 @@
         struct dns_domain *domain = server->domains;
         if (domain)
         {
-            if (server->domain_type == DNS_RESOLVE_DOMAINS)
-            {
-                msg(D_SHOW_PARMS, "    resolve domains:");
-            }
-            else
-            {
-                msg(D_SHOW_PARMS, "    exclude domains:");
-            }
+            msg(D_SHOW_PARMS, "    resolve domains:");
             while (domain)
             {
                 msg(D_SHOW_PARMS, "      %s", domain->name);
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 162dec1..e497857 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -27,12 +27,6 @@
 #include "buffer.h"
 #include "env_set.h"
 
-enum dns_domain_type {
-    DNS_DOMAINS_UNSET,
-    DNS_RESOLVE_DOMAINS,
-    DNS_EXCLUDE_DOMAINS
-};
-
 enum dns_security {
     DNS_SECURITY_UNSET,
     DNS_SECURITY_NO,
@@ -68,7 +62,6 @@
     size_t addr_count;
     struct dns_server_addr addr[8];
     struct dns_domain *domains;
-    enum dns_domain_type domain_type;
     enum dns_security dnssec;
     enum dns_server_transport transport;
     const char *sni;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 17ce2b0..3e0cb62 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -514,7 +514,6 @@
     "                  Valid options are :\n"
     "                  address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
     "                  resolve-domains <domain> [domain ...] : split domains\n"
-    "                  exclude-domains <domain> [domain ...] : domains not to resolve\n"
     "                  dnssec <yes|no|optional> : option to use DNSSEC\n"
     "                  type <DoH|DoT> : query server over HTTPS / TLS\n"
     "                  sni <domain> : DNS server name indication\n"
@@ -8022,22 +8021,6 @@
             }
             else if (streq(p[3], "resolve-domains"))
             {
-                if (server->domain_type == DNS_EXCLUDE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_RESOLVE_DOMAINS;
-                dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
-            }
-            else if (streq(p[3], "exclude-domains"))
-            {
-                if (server->domain_type == DNS_RESOLVE_DOMAINS)
-                {
-                    msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
-                    goto err;
-                }
-                server->domain_type = DNS_EXCLUDE_DOMAINS;
                 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
             }
             else if (streq(p[3], "dnssec") && !p[5])