-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnscry.pt update script #945
base: master
Are you sure you want to change the base?
Conversation
dnscry.pt maintainer here. Thanks for your great work! Keeping this repository in sync with the resolver lists I publish has been haunting me for months, so I am happy to see the progress made in this PR!
That's (unfortunately) due to laziness: I am taking the DNS Stamps for DNSCrypt and Anonymized DNS straight from the output of encrypted-dns-server. When I started the project, I only supported DNSCrypt, so there was no need to calculate any other DNS Stamps. Now changing this wouldn't be a big deal since I already calculate the stamps for DoT/DoH. I'll look into that.
I have never properly implemented having multiple resolvers in the same location and that's why things become inconsistent. At the moment, I am (ab-)using the I will have to make some adjustments here, but I don't think there's a better/more proper way than adding an incrementing value to locations which host more than one resolver. Besides that: Is there anything I can change in the JSON output to make things easier for you? |
I think the stamp data in the JSON is fine, my concern was merely that this repo's existing (hand-maintained) stamps are either old, or were being recalculated to remove the port before publication, and so servers that haven't actually changed are showing a changed stamp when you compare the generated output to the existing data. That's why I was leaning towards a second PR to go first, which would update all the DSN stamps for dnscry.pt entries to include the port number, matching upstream, but not otherwise changing the content. That makes the diff resulting from running this PR's script much smaller. As far as Location, then yeah, making them unique by including an incrementing key or something (I'd think the same as the DNS name, ideally) to ensure stability as servers appear and disappear makes sense. Tokyo is an example of where it's working well already, the concern was about Amsterdam, Hong Kong, and Los Angeles, where they do not have any such integer, and my quick-workaround mismatched the existing data in one of those cases, possibly surprising users if they update and don't re-select the desired service. Having the name be unique and upstream defined would let me remove the hack, and then any such mismatch or churn will only happen once, and be isolated to places where this repo and your upstream data source have an existing mismatch. If there wasn't existing data, I wouldn't use Location as the unique name anyway, I'd prefer to derive it from the host-name. That would introduce a once-off churn for all downstream consumers of this list who are using dnscry.pt servers though, so it's probably not feasible at this point. Of course, as you are the dnscry.pt maintainer, you are welcome to take this script, run it manually, apply any manual fixups or churn reduction you see fit, and submit the results as a PR against the data files. That might make things easier for the repo owner, as they would more-easily trust a data-only PR from you compared to a script from (random passing stranger) me. |
I think that's the case. IIRC the stamps were taken as they are first and the port has been removed in a later commit. I have just published new resolver lists (+ JSON) which have the port removed if the default port is used, which is the case for all resolvers at the moment. This change was overdue anyway to be compliant with the official (?) specifications for DNS stamps.
Oh boy... until now I didn't even notice those were missing the incrementing key. I wonder how the clients handled the resolver lists containing two resolvers with the same identifier. Anyways, as a quick fix I've added the |
c3c68c3
to
e7029dd
Compare
Awesome, thank you. I've rebased and rerun the scripts, and the churn is now much lower, so I included the output of the run as a commit for visibility. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For easier review, I've annotated the changes in the data files that weren't purely new entries. One entry's IP was updated, and three have changed names with a new entry taking their former name, so this should not break anyone's systems unless certificate pinning is common for users in this ecosystem?
I annotated v1 because it's easy to see what changed; that was all generated using format.py, my script only updates the v3 data; the same changes in DNS stamps are visible there, but not what changed.
v1/dnscrypt-resolvers.csv
Outdated
dnscry.pt-amsterdam-ipv4,dnscry.pt-amsterdam-ipv4,"DNSCry.pt Amsterdam - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,45.86.162.110,2.dnscrypt-cert.dnscry.pt,6E5C:573C:9A33:687D:DDD1:3F61:FFAF:4EA7:59E7:6106:1B5B:8C88:59DF:32A4:E391:9CAF, | ||
dnscry.pt-amsterdam-ipv4,dnscry.pt-amsterdam-ipv4,"DNSCry.pt Amsterdam - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,198.140.141.46,2.dnscrypt-cert.dnscry.pt,5A9B:69F3:B181:7B8A:C0E8:18C5:0E97:52A1:D690:C52D:FF92:C8DA:70E4:7551:54E6:19BB, | ||
dnscry.pt-amsterdam-ipv6,dnscry.pt-amsterdam-ipv6,"DNSCry.pt Amsterdam - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2a03:94e3:222b::1032],2.dnscrypt-cert.dnscry.pt,5A9B:69F3:B181:7B8A:C0E8:18C5:0E97:52A1:D690:C52D:FF92:C8DA:70E4:7551:54E6:19BB, | ||
dnscry.pt-amsterdam02-ipv4,dnscry.pt-amsterdam02-ipv4,"DNSCry.pt Amsterdam 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,45.86.162.110,2.dnscrypt-cert.dnscry.pt,6E5C:573C:9A33:687D:DDD1:3F61:FFAF:4EA7:59E7:6106:1B5B:8C88:59DF:32A4:E391:9CAF, | ||
dnscry.pt-amsterdam02-ipv6,dnscry.pt-amsterdam02-ipv6,"DNSCry.pt Amsterdam 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2a07:efc0:1001:a5ce::b4b4],2.dnscrypt-cert.dnscry.pt,6E5C:573C:9A33:687D:DDD1:3F61:FFAF:4EA7:59E7:6106:1B5B:8C88:59DF:32A4:E391:9CAF, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Key 6E5C:573C:9A33:687D:DDD1:3F61:FFAF:4EA7:59E7:6106:1B5B:8C88:59DF:32A4:E391:9CAF
is renamed from dnscry.pt-amsterdam-ipv4
to dnscry.pt-amsterdam02-ipv4
.
This is consistent with the hostname (ams02.dnscry.pt
) per https://www.dnscry.pt/public-resolvers/ams02
v1/dnscrypt-resolvers.csv
Outdated
dnscry.pt-hongkong-ipv4,dnscry.pt-hongkong-ipv4,"DNSCry.pt Hong Kong - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,45.123.188.129,2.dnscrypt-cert.dnscry.pt,0B71:21FC:C3CB:4775:D462:C91E:BEC7:3E47:6D3F:019B:8A69:8D50:CD20:51AD:207E:31C8, | ||
dnscry.pt-hongkong-ipv6,dnscry.pt-hongkong-ipv6,"DNSCry.pt Hong Kong - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2406:4300:bae:6b08::1],2.dnscrypt-cert.dnscry.pt,0B71:21FC:C3CB:4775:D462:C91E:BEC7:3E47:6D3F:019B:8A69:8D50:CD20:51AD:207E:31C8, | ||
dnscry.pt-hongkong-ipv4,dnscry.pt-hongkong-ipv4,"DNSCry.pt Hong Kong - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,89.213.0.26,2.dnscrypt-cert.dnscry.pt,32DD:EDC4:D4D9:B251:982A:373B:D3D9:E117:8929:56DB:8FD9:4FD4:A7AB:1A67:F62D:EF35, | ||
dnscry.pt-hongkong-ipv6,dnscry.pt-hongkong-ipv6,"DNSCry.pt Hong Kong - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2a13:82c1:850a::b7],2.dnscrypt-cert.dnscry.pt,32DD:EDC4:D4D9:B251:982A:373B:D3D9:E117:8929:56DB:8FD9:4FD4:A7AB:1A67:F62D:EF35, | ||
dnscry.pt-hongkong02-ipv4,dnscry.pt-hongkong02-ipv4,"DNSCry.pt Hong Kong 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,45.123.188.129,2.dnscrypt-cert.dnscry.pt,0B71:21FC:C3CB:4775:D462:C91E:BEC7:3E47:6D3F:019B:8A69:8D50:CD20:51AD:207E:31C8, | ||
dnscry.pt-hongkong02-ipv6,dnscry.pt-hongkong02-ipv6,"DNSCry.pt Hong Kong 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2406:4300:bae:6b08::1],2.dnscrypt-cert.dnscry.pt,0B71:21FC:C3CB:4775:D462:C91E:BEC7:3E47:6D3F:019B:8A69:8D50:CD20:51AD:207E:31C8, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Key 0B71:21FC:C3CB:4775:D462:C91E:BEC7:3E47:6D3F:019B:8A69:8D50:CD20:51AD:207E:31C8
is renamed from dnscry.pt-hongkong-ipv{4,6}
to dnscry.pt-hongkong02-ipv{4,6}
.
This is consistent with the hostname (hkg02.dnscry.pt
) per https://www.dnscry.pt/public-resolvers/hkg02
v1/dnscrypt-resolvers.csv
Outdated
dnscry.pt-london-ipv4,dnscry.pt-london-ipv4,"DNSCry.pt London - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,178.239.174.244,2.dnscrypt-cert.dnscry.pt,8F66:DC44:BEBB:62C6:0CEA:2D99:2B92:5FFE:1CBE:FE09:ABB6:6140:8417:6BDB:F2CA:31EE, | ||
dnscry.pt-london-ipv4,dnscry.pt-london-ipv4,"DNSCry.pt London - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,45.67.84.132,2.dnscrypt-cert.dnscry.pt,8F66:DC44:BEBB:62C6:0CEA:2D99:2B92:5FFE:1CBE:FE09:ABB6:6140:8417:6BDB:F2CA:31EE, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IP address was out-of-date, but the host key is the same. IP address manually verified at https://www.dnscry.pt/public-resolvers/lon01. No change in the IPv6 address of this service.
v1/dnscrypt-resolvers.csv
Outdated
dnscry.pt-losangeles-ipv4,dnscry.pt-losangeles-ipv4,"DNSCry.pt Los Angeles - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,104.200.67.194,2.dnscrypt-cert.dnscry.pt,8871:792B:8640:7C1C:8597:6CB5:0A9C:A0A0:FF44:0B95:E30F:10AF:FD57:9971:59B9:C184, | ||
dnscry.pt-losangeles-ipv6,dnscry.pt-losangeles-ipv6,"DNSCry.pt Los Angeles - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2602:ff75:7:b79::b4b4],2.dnscrypt-cert.dnscry.pt,8871:792B:8640:7C1C:8597:6CB5:0A9C:A0A0:FF44:0B95:E30F:10AF:FD57:9971:59B9:C184, | ||
dnscry.pt-losangeles-ipv4,dnscry.pt-losangeles-ipv4,"DNSCry.pt Los Angeles - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,84.33.244.100,2.dnscrypt-cert.dnscry.pt,0081:FF5E:2AAB:77C9:4AEC:1980:E72C:16A4:2A14:C835:2746:A518:F03C:71BF:7143:2716, | ||
dnscry.pt-losangeles-ipv6,dnscry.pt-losangeles-ipv6,"DNSCry.pt Los Angeles - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2a0c:8fc3:3:1:2:3:4:5],2.dnscrypt-cert.dnscry.pt,0081:FF5E:2AAB:77C9:4AEC:1980:E72C:16A4:2A14:C835:2746:A518:F03C:71BF:7143:2716, | ||
dnscry.pt-losangeles02-ipv4,dnscry.pt-losangeles02-ipv4,"DNSCry.pt Los Angeles 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv4 server)",,,,2,yes,yes,no,104.200.67.194,2.dnscrypt-cert.dnscry.pt,8871:792B:8640:7C1C:8597:6CB5:0A9C:A0A0:FF44:0B95:E30F:10AF:FD57:9971:59B9:C184, | ||
dnscry.pt-losangeles02-ipv6,dnscry.pt-losangeles02-ipv6,"DNSCry.pt Los Angeles 02 - DNSCrypt, no filter, no logs, DNSSEC support (IPv6 server)",,,,2,yes,yes,no,[2602:ff75:7:b79::b4b4],2.dnscrypt-cert.dnscry.pt,8871:792B:8640:7C1C:8597:6CB5:0A9C:A0A0:FF44:0B95:E30F:10AF:FD57:9971:59B9:C184, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Key 8871:792B:8640:7C1C:8597:6CB5:0A9C:A0A0:FF44:0B95:E30F:10AF:FD57:9971:59B9:C184
is renamed from dnscry.pt-losangeles-ipv{4,6}
to dnscry.pt-losangeles02-ipv{4,6}
.
This is consistent with the hostname (lax02.dnscry.pt
) per https://www.dnscry.pt/public-resolvers/lax02
Just a heads-up - the IP addresses of If we can get this merged, this would help me a lot to keep this repo in sync with changes on my end. |
8e786e4
to
f7ac7c7
Compare
I've rerun the script and repushed the branch, and those addresses should now be updated. I'm happy to trivially rebase if I'm pinged here, but I'm not actively tracking dnscry.pt data updates myself. I have not heard from the repo owner, so I'm not sure what expectation to have about timelines for merging this PR. |
Thanks! Until now, Is there a difference between this and manually parsing the JSON file? |
There's no difference. The JSON is an export of the data my scripts use to
generate the resolver files.
Frank Denis ***@***.***> schrieb am Mi., 18. Sept. 2024,
18:30:
… Thanks!
Until now, dnscry.pt updates were just copied from:
- https://www.dnscry.pt/resolvers.md
- https://www.dnscry.pt/anon-relays.md
Is there a difference between this and manually parsing the JSON file?
—
Reply to this email directly, view it on GitHub
<#945 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAJF46GGN66BMTYZGM3TW3ZXGTA5AVCNFSM6AAAAABMMPKFLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJYHEZDCNJTGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Drop some unused imports and turn `if not X in` into `if X not in`. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
On Windows, you can't rename over a file that exists, and you can't delete a file you stil have open. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
f7ac7c7
to
da34c4d
Compare
Rebased for latest changes to master branch, which see has had (manual, I assume) updates to the dnscry.pt servers, so the final commit's diff is much smaller now.
It's not manual. ^_^ For me, that's a win by itself; YMMV. For example, looking at the current diff, it's readded the three servers you removed as not working in de9d69e. (Someone should probably report that to @Brueggus if not already aware...) It also adds a bunch of anonymous relays which aren't currently in the list. I haven't checked carefully but it looks like that's the list of relays removed in 5762a73. Either way, it makes it super-easy to see what's changed compared to manually parsing a JSON file. (Although I suspect we want to drop the last commit as it's now somewhat reverting deliberate manual changes.) Edit: Confirmed that a quick |
da34c4d
to
07cdd5b
Compare
But why use the JSON file instead of the already existing Here are the scripts that have been used to update the
They're very simple as they just add a prefix to the names. Using the JSON file looks way more complicated. |
Also, copying the |
There's a built-in JSON parser in Python stdlib, so I didn't even need to think about parsing Markdown's various flavours. I also assumed upstream JSON was canonical, and any MD output was generated from that and liable to change. When I came into this, both formats already existed and there wasn't any hint of an existing MD parser in the lInked bug or repo that I saw. |
Based on #868 and particularly #868 (comment), this is a trivial script to update the dnscry.pt entries in
v3/public-resolvers.md
andv3/relays.md
from https://www.dnscry.pt/resolvers.json.No-longer relevant issues
The below issues appeared in the first version of this PR, but @Brueggus (dnscry.pt maintainer) has updated the published resolver data to resolve them both, per #945 (comment)
The first run generates a lot of churn, as compared to the data in this repo, the upstream data now encodes the port number in all of its DNS Stamps. It's easy to see this after format.py is run and the
v1/dnscrypt-resolvers.csv
is updated. It would be possible to strip the port 443 from the DNS Stamps and recalculate them, but doing so would make these stamps incomparable to upstream, and that cost me a bit of time trying to work out why they were all different before I checked with https://dnscrypt.info/stamps/.Also visible in
v1/dnscrypt-resolvers.csv
is some hard-to-avoid churn in entries where upstream has multiple resolvers with the same "location" key, as my dumb-trivial mechanism to resolve that may not pick the same one to rename as the one done previously.This is visible for example with current
dnscry.pt-amsterdam-ipv4
which ends up asdnscry.pt-amsterdam02-ipv4
(based on the public key), and the other entry with that location is nowdnscry.pt-amsterdam-ipv4
.I'm not sure if this is really an issue for end users. An alternative would be to add the suffix to the location for any host with a hostname that isn't
___01
, but that would rename existingdnscry.pt-singapore-ipv4
(again matching the host keys) todnscry.pt-singapore03-ipv4
. In this approach, Tokyo would also ends up with onlydnscry.pt-tokyo02-ipv4
anddnscry.pt-tokyo03-ipv4
, but that's actually fair since currentdnscry.pt-tokyo-ipv4
is gone, and gets replaced in-place with what upstream callstyo03.dnscry.pt
.I didn't commit the result of running the scripts since I'm not set up for minisig: I'm not sure what the expectation here is, but it would be trivial to add such a commit if desired.
It might also make for cleaner history if I in-place updated all the dnscry.pt DNS Stamps in-place first to have the :443 port number, then the churn will be much more readable.
The current output from execution looks like this: