Merge main & update to bikkelhart/internet-nl@c0776a43

    git fetch bikkelhart
    git fetch internetnl
    git merge -X theirs internetnl/main
    git checkout --no-overlay bikkelhart/bikkelhart-redesign -- frontend interface/templates interface/static translations
    git checkout --no-overlay main -- interface/static/question@internet.nl_0x45028563.asc interface/templates/statistics.html
    msgcat --no-wrap translations/en/main.po <(git show internetnl/main:translations/en/main.po) | sponge translations/en/main.po
    convert -resize 48x48 interface/static/favicon.{png,ico}
    git add interface/static/favicon.ico
    git commit --amend -m "Merge main & update to bikkelhart/internet-nl@$(git rev-parse bikkelhart/bikkelhart-redesign | cut -c1-8)"

Author: bwbroersma

.well-known/security.txt

@@ -28,20 +28,20 @@ Encryption: https://internet.nl/static/question@internet.nl_0x45028563.asc
 # Our security policy
 Policy: https://internet.nl/disclosure/
 
-Expires: 2025-09-09T00:00:00Z
+Expires: 2026-09-25T00:00:00Z
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmbe9QIACgkQ2JThX0UC
-hWOl9w//fNchS4XVtGG8m41YvPEh3jswxK2Fj7Oe5atxAjv8LNVwAWxVYjFpVPcp
-bkOrclK41SPX8BkYV8zKb/g641jeqZXKJxYGZRZyWVMlx7giwAD2hPi4l5QZ77UK
-6W468cScRfd51oKVfp91fXTkvQanVx23bYQ2Ti7kKd0ERsspEbX6NsuKUfLGA6rg
-7SpVxUBobkYLzR7RwvK5Qqs0+8k7syDnpi81Fy+dy/YLxzB9MERp3yUmve4xxdoW
-wuWSoJbynHfwHkD3QwjoOrLasowxi7dTW11Awe3Ll5p8GTa1UBbzfY7iwVJ2DesN
-gcBpoxREp9LdDynLOwHgX/k1uyadU7QVnm4bLjvmuDNIOaECBGcN15YDWC+mVap3
-h8OIgTW3oN3PtQA1WpsFaol8P0CHfo01MbC4EoOAMGv28GwR1AYjzs03FN+1MMCJ
-5PxbyB0Zs1s6DsD1xOAvXCyvf1nSdLH/uDReEN4E4zaL9aftnNv3Dxpu7i4l3z23
-ACqNPkNHPyad7JxZve5SXLJhYaCIcySEO/upEUdQIa58T/8cZxtMFiTO0kbbo8HE
-25H5OIwx/9voH9zd0B+g0xdbct4xYSL6iyZ6ebMlteaqgbHY7cjLW5o8RGZxTkQf
-mS2qRBl57PhvTubt09fq+b6LiQX5XnlXEEzp6+RhtfRXFLSvcJc=
-=tA8x
+iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmjWfAcACgkQ2JThX0UC
+hWNptw/8ChAXXJcowrTy5y0xYw2YPx0a26M/bTBIZ2TsH0ewmhOHJEOXK9S1V6+I
+oszXGBmm9fUDEXlMC7+f1QfXWXt8Xh1OVd9HOTqVvQ4lmb2XbefGuR6hFuHaveEx
+Ac5nVVpkxwUzBJOQ0idK3bA+cLdosx6JEMPQoKWVPceaTake3TckQ22TEHBRro5z
+i7FAdEfqCjMT1r682cjNa95Q2gj7To06SmU4f/+0O2sjA64FVpOGRjC/Ka5YolZ6
+xLnnHQGz3FuQnKKVSF29l2RnbtNiL9Arr9xUekY8RoO7c7t7/Hwslp/lyYBHWHUZ
+3eeh4bkLgbfLICsjFWhQjU5uHp92ObMF+2N55d4C2oZp+o5C6BfdXW5nACLBreOV
+AjIUpzn59qpRPwV8dni6qzE0+BodIp6yAzBynXoCFoc7+mRK4Njtsr5Ci8Mz7Y2R
+7iBkor6xHmEssyJi2tCWSuZlQUcKx/JKRAKZI3yIOQab7lqfB8cLXogaEgtpAt1U
+8miL7wxKONyJM5bYOcf7UmpQutvRIWB3ZKtw/b0V8i/HCl7IzpyRASgwGbi93cqD
+EQw6/W5v4AtqoktNdxvWKyi+3NORfBdYHkCnLDGWtMMJpbW17iD4RVg866ode0Sv
+ukBLiBbSZTIJjv9294oKjRgKnZgy9PZ1+6bxLjmBl8k9XQJrQ18=
+=LFEm
 -----END PGP SIGNATURE-----

Changelog.md

@@ -20,6 +20,22 @@ _Compared to the latest 1.10 release._
 
 - ...
 
+
+## 1.10.6
+
+- Fixed a syntax error in the OpenAPI specification.
+
+## 1.10.5
+
+- Fixed an issue in 1.10.x where [DNSSEC test could return false negatives](https://github.com/internetstandards/Internet.nl/issues/1869)
+  due to an interaction between cached responses and the CD and AD flags.
+- Added news post.
+
+## 1.10.4
+
+- Updated our security.txt.
+- Updated Django version.
+
 ## 1.10.3
 
 - Added [missing User-Agent](https://github.com/internetstandards/Internet.nl/issues/1048) to 0-RTT HTTP requests

checks/resolver.py

@@ -4,13 +4,12 @@
 import dns
 from django.conf import settings
 from dns.edns import EDECode
-from dns.exception import ValidationFailure
 from dns.flags import Flag, EDNSFlag
 from dns.message import Message, make_query
 from dns.query import udp_with_fallback
 from dns.rdatatype import RdataType
 from dns.rdtypes.ANY import TLSA, CAA
-from dns.resolver import Resolver, NXDOMAIN, NoAnswer
+from dns.resolver import Resolver, NXDOMAIN, NoAnswer, NoNameservers
 import socket
 
 DNS_TIMEOUT = 5
@@ -41,44 +40,44 @@ def from_message(cls, message: Message):
         return cls(DNSSECStatus.INSECURE)
 
 
-def dns_resolve_a(qname: str, allow_bogus=True) -> list[str]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.A, allow_bogus)
+def dns_resolve_a(qname: str) -> list[str]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.A)
     return [rr.address for rr in rrset]
 
 
-def dns_resolve_aaaa(qname: str, allow_bogus=True) -> list[str]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.AAAA, allow_bogus)
+def dns_resolve_aaaa(qname: str) -> list[str]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.AAAA)
     return [rr.address for rr in rrset]
 
 
-def dns_resolve_mx(qname: str, allow_bogus=True) -> list[tuple[str, int]]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.MX, allow_bogus)
+def dns_resolve_mx(qname: str) -> list[tuple[str, int]]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.MX)
     return [(str(rr.exchange), rr.preference) for rr in rrset]
 
 
-def dns_resolve_ns(qname: str, allow_bogus=True) -> list[str]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.NS, allow_bogus)
+def dns_resolve_ns(qname: str) -> list[str]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.NS)
     return [str(rr.target) for rr in rrset]
 
 
-def dns_resolve_tlsa(qname: str, allow_bogus=True) -> tuple[list[TLSA], DNSSECStatus]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.TLSA, allow_bogus)
+def dns_resolve_tlsa(qname: str) -> tuple[list[TLSA], DNSSECStatus]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.TLSA, guarantee_accurate_secure=True)
     return rrset, dnssec_status
 
 
-def dns_resolve_txt(qname: str, allow_bogus=True) -> list[str]:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.TXT, allow_bogus)
+def dns_resolve_txt(qname: str) -> list[str]:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.TXT)
     return ["".join([dns.rdata._escapify(s) for s in rr.strings]) for rr in rrset]
 
 
-def dns_resolve_spf(qname: str, allow_bogus=True) -> Optional[str]:
-    strings = dns_resolve_txt(qname, allow_bogus)
+def dns_resolve_spf(qname: str) -> Optional[str]:
+    strings = dns_resolve_txt(qname)
     spf_records = [s for s in strings if s.lower().startswith("v=spf1")]
     return spf_records[0] if len(spf_records) == 1 else None
 
 
-def dns_resolve_soa(qname: str, allow_bogus=True, raise_on_no_answer=True) -> DNSSECStatus:
-    rrset, dnssec_status = dns_resolve(qname, RdataType.SOA, allow_bogus, raise_on_no_answer)
+def dns_resolve_soa(qname: str, raise_on_no_answer=True) -> DNSSECStatus:
+    rrset, dnssec_status = dns_resolve(qname, RdataType.SOA, raise_on_no_answer, guarantee_accurate_secure=True)
     return dnssec_status
 
 
@@ -89,7 +88,9 @@ def dns_resolve_caa(qname: str) -> tuple[str, Iterable[CAA.CAA]]:
     """
     while True:
         try:
-            answer = _get_resolver().resolve(dns.name.from_text(qname), RdataType.CAA, raise_on_no_answer=True)
+            answer = _get_resolver(cd_flag=True).resolve(
+                dns.name.from_text(qname), RdataType.CAA, raise_on_no_answer=True
+            )
             return str(answer.canonical_name), answer.rrset
         except (NoAnswer, NXDOMAIN):
             qname = dns_climb_tree(qname)
@@ -98,7 +99,7 @@ def dns_resolve_caa(qname: str) -> tuple[str, Iterable[CAA.CAA]]:
 
 
 def dns_resolve_reverse(ipaddr: str) -> list[str]:
-    answer = _get_resolver().resolve_address(ipaddr)
+    answer = _get_resolver(cd_flag=True).resolve_address(ipaddr)
     return [rr.to_text() for rr in answer.rrset]
 
 
@@ -111,11 +112,32 @@ def dns_check_ns_connectivity(probe_qname: str, target_ip: str, port: int = 53)
         return False
 
 
-def dns_resolve(qname: str, rr_type: RdataType, allow_bogus=True, raise_on_no_answer=True):
-    answer = _get_resolver().resolve(dns.name.from_text(qname), rr_type, raise_on_no_answer=raise_on_no_answer)
-    dnssec_status = DNSSECStatus.from_message(answer.response)
-    if dnssec_status == DNSSECStatus.BOGUS and not allow_bogus:
-        raise ValidationFailure()
+def dns_resolve(qname: str, rr_type: RdataType, raise_on_no_answer=True, guarantee_accurate_secure=False):
+    """
+    Resolve the provided qname/record type.
+    Returns the RRset and the DNSSEC status, with a caveat.
+
+    raise_on_no_answer: if True, raises NoAnswer for no answer, if False, no exception raised
+
+    guarantee_accurate_secure:
+    Certain caching scenarios may lead us to falsely mark a response as insecure, when it is secure,
+    due to a missing AD bit when a response for the same qname was cached to resolve a different query,
+    in combination with our CD flag.
+    This is OK in most cases, but when it is not, we need to do a double query to prevent this,
+    enabled with guarantee_accurate_secure=True.
+    https://github.com/internetstandards/Internet.nl/issues/1869
+    """
+    resolve_params = {"qname": dns.name.from_text(qname), "rdtype": rr_type, "raise_on_no_answer": raise_on_no_answer}
+    if guarantee_accurate_secure:
+        try:
+            answer = _get_resolver(cd_flag=False).resolve(**resolve_params)
+            dnssec_status = DNSSECStatus.from_message(answer.response)
+        except NoNameservers:  # dnspython's translation for servfail
+            answer = _get_resolver(cd_flag=True).resolve(**resolve_params)
+            dnssec_status = DNSSECStatus.BOGUS
+    else:
+        answer = _get_resolver(cd_flag=True).resolve(**resolve_params)
+        dnssec_status = DNSSECStatus.from_message(answer.response)
     return answer.rrset, dnssec_status
 
 
@@ -126,22 +148,29 @@ def dns_climb_tree(qname: str) -> Optional[str]:
     return parent.to_text()
 
 
-_resolver = None
+_resolver_without_cd = None
+_resolver_with_cd = None
 
 
-def _get_resolver():
+def _get_resolver(cd_flag: bool):
     # Resolvers are thread safe once configured
-    global _resolver
-    if not _resolver:
-        _resolver = _create_resolver()
-    return _resolver
-
-
-def _create_resolver() -> Resolver:
+    global _resolver_with_cd
+    if not _resolver_with_cd:
+        _resolver_with_cd = _create_resolver(cd_flag=True)
+    global _resolver_without_cd
+    if not _resolver_without_cd:
+        _resolver_without_cd = _create_resolver(cd_flag=False)
+    if cd_flag:
+        return _resolver_with_cd
+    return _resolver_without_cd
+
+
+def _create_resolver(cd_flag: bool) -> Resolver:
     resolver = Resolver(configure=False)
     resolver.nameservers = [socket.gethostbyname(settings.RESOLVER_INTERNAL_VALIDATING)]
     resolver.edns = True
-    resolver.flags = Flag.CD
+    if cd_flag:
+        resolver.flags = Flag.CD
     resolver.ednsflags = EDNSFlag.DO
     resolver.lifetime = DNS_TIMEOUT
     return resolver

docker/integration-tests/www/well-known/security.txt

@@ -28,20 +28,20 @@ Encryption: https://internet.nl/static/question@internet.nl_0x45028563.asc
 # Our security policy
 Policy: https://internet.nl/disclosure/
 
-Expires: 2025-09-09T00:00:00Z
+Expires: 2026-09-25T00:00:00Z
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmbe9QIACgkQ2JThX0UC
-hWOl9w//fNchS4XVtGG8m41YvPEh3jswxK2Fj7Oe5atxAjv8LNVwAWxVYjFpVPcp
-bkOrclK41SPX8BkYV8zKb/g641jeqZXKJxYGZRZyWVMlx7giwAD2hPi4l5QZ77UK
-6W468cScRfd51oKVfp91fXTkvQanVx23bYQ2Ti7kKd0ERsspEbX6NsuKUfLGA6rg
-7SpVxUBobkYLzR7RwvK5Qqs0+8k7syDnpi81Fy+dy/YLxzB9MERp3yUmve4xxdoW
-wuWSoJbynHfwHkD3QwjoOrLasowxi7dTW11Awe3Ll5p8GTa1UBbzfY7iwVJ2DesN
-gcBpoxREp9LdDynLOwHgX/k1uyadU7QVnm4bLjvmuDNIOaECBGcN15YDWC+mVap3
-h8OIgTW3oN3PtQA1WpsFaol8P0CHfo01MbC4EoOAMGv28GwR1AYjzs03FN+1MMCJ
-5PxbyB0Zs1s6DsD1xOAvXCyvf1nSdLH/uDReEN4E4zaL9aftnNv3Dxpu7i4l3z23
-ACqNPkNHPyad7JxZve5SXLJhYaCIcySEO/upEUdQIa58T/8cZxtMFiTO0kbbo8HE
-25H5OIwx/9voH9zd0B+g0xdbct4xYSL6iyZ6ebMlteaqgbHY7cjLW5o8RGZxTkQf
-mS2qRBl57PhvTubt09fq+b6LiQX5XnlXEEzp6+RhtfRXFLSvcJc=
-=tA8x
+iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmjWfAcACgkQ2JThX0UC
+hWNptw/8ChAXXJcowrTy5y0xYw2YPx0a26M/bTBIZ2TsH0ewmhOHJEOXK9S1V6+I
+oszXGBmm9fUDEXlMC7+f1QfXWXt8Xh1OVd9HOTqVvQ4lmb2XbefGuR6hFuHaveEx
+Ac5nVVpkxwUzBJOQ0idK3bA+cLdosx6JEMPQoKWVPceaTake3TckQ22TEHBRro5z
+i7FAdEfqCjMT1r682cjNa95Q2gj7To06SmU4f/+0O2sjA64FVpOGRjC/Ka5YolZ6
+xLnnHQGz3FuQnKKVSF29l2RnbtNiL9Arr9xUekY8RoO7c7t7/Hwslp/lyYBHWHUZ
+3eeh4bkLgbfLICsjFWhQjU5uHp92ObMF+2N55d4C2oZp+o5C6BfdXW5nACLBreOV
+AjIUpzn59qpRPwV8dni6qzE0+BodIp6yAzBynXoCFoc7+mRK4Njtsr5Ci8Mz7Y2R
+7iBkor6xHmEssyJi2tCWSuZlQUcKx/JKRAKZI3yIOQab7lqfB8cLXogaEgtpAt1U
+8miL7wxKONyJM5bYOcf7UmpQutvRIWB3ZKtw/b0V8i/HCl7IzpyRASgwGbi93cqD
+EQw6/W5v4AtqoktNdxvWKyi+3NORfBdYHkCnLDGWtMMJpbW17iD4RVg866ode0Sv
+ukBLiBbSZTIJjv9294oKjRgKnZgy9PZ1+6bxLjmBl8k9XQJrQ18=
+=LFEm
 -----END PGP SIGNATURE-----

frontend/src/css/components.css

@@ -230,14 +230,6 @@
   }
 }
 
-[data-theme="dark"] {
-  color-scheme: dark;
-  
-  .card.large.knowledge-card {
-    border: var(--card-border);
-  }
-}
-
 .card {
   border-radius: 0.5rem;
 
@@ -457,6 +449,7 @@
 .accordion {
   appearance: none;
   overflow: clip;
+  border: 1px solid var(--accordion-border-color);
 
   &::details-content {
     @media (prefers-reduced-motion: no-preference) {
@@ -513,8 +506,13 @@
   .card.large.knowledge-card {
     border: none;
   }
+}
 
-  .accordion {
-    border: 1px solid var(--green-400);
+/* Overwrites for dark theme */
+[data-theme="dark"] {
+  color-scheme: dark;
+  
+  .card.large.knowledge-card {
+    border: var(--card-border);
   }
 }

frontend/src/css/header.css

@@ -291,7 +291,15 @@ header nav {
         padding: 0.5rem 0.75rem;
       }
 
-      .current-language {
+      .current-language-desktop {
+        @media (width <= 73.125rem) {
+          display: none;
+        }
+
+        text-transform: uppercase;
+      }
+
+      .current-language-mobile {
         @media (width >= 73.125rem) {
           display: none;
         }
@@ -353,7 +361,7 @@ header nav {
           content: "";
           position: absolute;
           left: 0;
-          width: 150%;
+          width: 100%;
           height: 1.25rem;
         }
       }
@@ -401,10 +409,7 @@ header nav {
     .nav-subitem {
       display: flex;
       width: 100%;
-
-
 
-
       a, button {
         display: flex;
         font: var(--subnav-link);
@@ -499,10 +504,17 @@ header nav {
       translate: -50% 0;
       left: 50%;
       margin-top: 1.25rem;
+      z-index: 10;
 
       @media (scripting: none) {
         z-index: 2;
       }
+
+      /* Bring focused dropdown to front */
+      &:focus-within,
+      &.focused {
+        z-index: 20;
+      }
     }
 
     &.expanded {