Ticket #125 (closed defect: fixed)

Opened 7 years ago

Last modified 3 years ago

PowerDNS offers wild card info. when it is not queried for.

Reported by: anon Owned by: somebody
Priority: highest Milestone:
Component: auth Version:
Severity: major Keywords:
Cc: augie.schwer@…

Description

Along the same lines as #124 if PowerDNS does not have the query record, but does have a wild card for the domain, then it will give NOERROR and the wild card info. that it has.

This gives incorrect answers to clients that may first request a AAAA record which may be cached locally and then used to incorrectly answer a later A record query.

The BIND zone file looks like this:

$TTL 7200
$ORIGIN schwer.us.
@               IN      SOA     ns1.sonic.net.  hostmaster.sonic.net.   (
                2007021205      ;serial
                10800           ;refresh
                3600            ;retry
                1209600         ;expire
                86400 )         ;TTL
                IN      TXT     "v=spf1 include:mail.sonic.net -all"
                IN      A       208.201.227.139
                IN      NS      a.auth-ns.sonic.net.
                IN      NS      b.auth-ns.sonic.net.
                IN      NS      c.auth-ns.sonic.net.
                IN      MX      10 mailin-01.mx.sonic.net.
                IN      MX      10 mailin-02.mx.sonic.net.
www             IN      CNAME   schwer.us.
test            IN      A       208.201.227.139
*               IN      CNAME   www

Querying PowerDNS:

[augie@augnix ~]$ dig aaaa test.schwer.us +norecurse @pdns-lab.sr.sonic.net

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us +norecurse @pdns-lab.sr.sonic.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41356
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; ANSWER SECTION:
test.schwer.us.         7200    IN      CNAME   www.schwer.us.
www.schwer.us.          7200    IN      CNAME   schwer.us.

;; AUTHORITY SECTION:
schwer.us.              7200    IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021205 10800 3600 1209600 86400

;; Query time: 10 msec
;; SERVER: 64.142.100.91#53(64.142.100.91)
;; WHEN: Tue Feb 13 16:37:06 2007
;; MSG SIZE  rcvd: 133

Querying BIND:

[augie@augnix ~]$ dig aaaa test.schwer.us +norecurse @sonic.sonic.net

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us +norecurse @sonic.sonic.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38801
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; AUTHORITY SECTION:
schwer.us.              86400   IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021205 10800 3600 1209600 86400

;; Query time: 1 msec
;; SERVER: 208.201.224.9#53(208.201.224.9)
;; WHEN: Tue Feb 13 16:41:30 2007
;; MSG SIZE  rcvd: 92

AAAA lookup that is cached followed by incorrect response from cache:

[augie@augnix ~]$ dig aaaa test.schwer.us

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33371
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; ANSWER SECTION:
test.schwer.us.         7200    IN      CNAME   www.schwer.us.
www.schwer.us.          7200    IN      CNAME   schwer.us.

;; AUTHORITY SECTION:
schwer.us.              7200    IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021302 10800 3600 1209600 86400

;; Query time: 151 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 13 16:53:16 2007
;; MSG SIZE  rcvd: 124
[augie@augnix ~]$ dig a test.schwer.us

; <<>> DiG 9.3.2 <<>> a test.schwer.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32017
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      A

;; ANSWER SECTION:
test.schwer.us.         7196    IN      CNAME   www.schwer.us.
www.schwer.us.          7196    IN      CNAME   schwer.us.
schwer.us.              7200    IN      A       208.201.227.139

;; AUTHORITY SECTION:
schwer.us.              7196    IN      NS      A.AUTH-NS.SONIC.NET.
schwer.us.              7196    IN      NS      B.AUTH-NS.SONIC.NET.
schwer.us.              7196    IN      NS      C.AUTH-NS.SONIC.NET.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 13 16:53:20 2007
;; MSG SIZE  rcvd: 145

Change History

in reply to: ↑ description   Changed 7 years ago by anon

Replying to anon:

Along the same lines as #124 if PowerDNS does not have the query record, but does have a wild card for the domain, then it will give NOERROR and the wild card info. that it has.

This is in direct violation of the RFCs. Since the name exists (albeit with different RR types), the wildcard should not match.

RFC 1034, 4.3.3. "Wildcards":

Wildcard RRs do not apply: ...

  • When the query name or a name between the wildcard domain and the query name is know to exist.

And see RFC 4592 for a more formal description.

  Changed 7 years ago by anon

  • status changed from new to closed
  • resolution set to fixed

This is fixed in r1081 .

follow-up: ↓ 4   Changed 6 years ago by anon

  • status changed from closed to reopened
  • resolution fixed deleted

This bug is back in 2.9.21.1 :

*.usenetbinaries.com. 7200 IN CNAME www.usenetbinaries.com.

[augie@augnix ~]$ dig +norecurse aaaa admin.usenetbinaries.com @a.auth-ns.sonic.net +short

www.usenetbinaries.com.

usenetbinaries.com.

[augie@augnix ~]$ dig +norecurse a admin.usenetbinaries.com @a.auth-ns.sonic.net +short

208.201.228.99

If you run a cacheing name server locally and the resolver routine asks for a AAAA first you will cache the incorrect wild-card answer.

in reply to: ↑ 3   Changed 6 years ago by anon

  • status changed from reopened to closed
  • resolution set to invalid

Oops, I mistakenly thought that 2.9.21.1 was the latest out of SVN, but it's just a re-release of 2.9.21 with a specific fix, so my previous bug re-opening this is invalid.

  Changed 6 years ago by anon

  • status changed from closed to reopened
  • resolution invalid deleted
  • severity changed from normal to major

I've run into an error (found out the hard way *sigh*) - and it seems to have been the problem described here, which is fixed since more than a year but hasn't had any release afterwards :-( Looks like a quite grave bug to me. Any chance to get an update released?

  Changed 5 years ago by ahu

  • priority changed from normal to highest
  • component changed from component1 to auth

  Changed 3 years ago by peter

  • status changed from reopened to closed
  • resolution set to fixed

Behaviour in current SVN head (r2296) appears correct. Closing as fixed.

Note: See TracTickets for help on using tickets.