chg: [tools] CRL tool updated to support latest version of dnspython

Add exception handling for some CRL (in China) returning incorrect DNS response from their authoritative servers.
2023-07-28 10:55:30 +02:00 · 2023-07-28 10:55:30 +02:00 · 11101527c0
parent 4a4c241d22
commit 11101527c0
1 changed files with 9 additions and 6 deletions
--- a/tools/generate-crl-ip-domains.py
+++ b/tools/generate-crl-ip-domains.py
@ -3,12 +3,14 @@ import csv
 import logging
 import multiprocessing.dummy
 import urllib.parse
+import sys
 from OpenSSL.crypto import FILETYPE_PEM, load_certificate, X509
 from pyasn1.codec.der.decoder import decode as asn1_decoder
 from pyasn1_modules.rfc2459 import CRLDistPointsSyntax, AuthorityInfoAccessSyntax
 from typing import List, Set
-from dns.resolver import NoAnswer, NXDOMAIN
+from dns.resolver import NoAnswer, NXDOMAIN, NoNameservers
 from dns.exception import Timeout
+import dns
 from generator import download_to_file, get_version, write_to_file, get_abspath_source_file, create_resolver


@ -45,18 +47,19 @@ def get_crl_ocsp_domains(cert: X509) -> List[str]:

 def get_ips_from_domain(domain: str) -> Set[str]:
    resolver = create_resolver()
-
    ips = set()

    try:
-        for rdata in resolver.query(domain, 'A'):
+        answers = dns.resolver.resolve(domain, 'A')
+        for rdata in answers:
            ips.add(str(rdata))
-    except (NoAnswer, NXDOMAIN, Timeout):
+    except (NoAnswer, NXDOMAIN, NoNameservers, Timeout):
        pass
    try:
-        for rdata in resolver.query(domain, 'AAAA'):
+        answers = dns.resolver.resolve(domain, 'AAAA')
+        for rdata in answers:
            ips.add(str(rdata))
-    except (NoAnswer, NXDOMAIN, Timeout):
+    except (NoAnswer, NXDOMAIN, NoNameservers, Timeout):
        pass

    return ips