PowerDNS offers wild card info. when it is not queried for. #125

Closed
Habbie opened this Issue Apr 26, 2013 · 6 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

Along the same lines as #124 if PowerDNS does not have the query record, but does have a wild card for the domain, then it will give NOERROR and the wild card info. that it has.

This gives incorrect answers to clients that may first request a AAAA record which may be cached locally and then used to incorrectly answer a later A record query.

The BIND zone file looks like this:

$TTL 7200
$ORIGIN schwer.us.
@               IN      SOA     ns1.sonic.net.  hostmaster.sonic.net.   (
                2007021205      ;serial
                10800           ;refresh
                3600            ;retry
                1209600         ;expire
                86400 )         ;TTL
                IN      TXT     "v=spf1 include:mail.sonic.net -all"
                IN      A       208.201.227.139
                IN      NS      a.auth-ns.sonic.net.
                IN      NS      b.auth-ns.sonic.net.
                IN      NS      c.auth-ns.sonic.net.
                IN      MX      10 mailin-01.mx.sonic.net.
                IN      MX      10 mailin-02.mx.sonic.net.
www             IN      CNAME   schwer.us.
test            IN      A       208.201.227.139
*               IN      CNAME   www

Querying PowerDNS:

[augie@augnix ~]$ dig aaaa test.schwer.us +norecurse @pdns-lab.sr.sonic.net

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us +norecurse @pdns-lab.sr.sonic.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41356
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; ANSWER SECTION:
test.schwer.us.         7200    IN      CNAME   www.schwer.us.
www.schwer.us.          7200    IN      CNAME   schwer.us.

;; AUTHORITY SECTION:
schwer.us.              7200    IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021205 10800 3600 1209600 86400

;; Query time: 10 msec
;; SERVER: 64.142.100.91#53(64.142.100.91)
;; WHEN: Tue Feb 13 16:37:06 2007
;; MSG SIZE  rcvd: 133

Querying BIND:

[augie@augnix ~]$ dig aaaa test.schwer.us +norecurse @sonic.sonic.net

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us +norecurse @sonic.sonic.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38801
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; AUTHORITY SECTION:
schwer.us.              86400   IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021205 10800 3600 1209600 86400

;; Query time: 1 msec
;; SERVER: 208.201.224.9#53(208.201.224.9)
;; WHEN: Tue Feb 13 16:41:30 2007
;; MSG SIZE  rcvd: 92

AAAA lookup that is cached followed by incorrect response from cache:

[augie@augnix ~]$ dig aaaa test.schwer.us

; <<>> DiG 9.3.2 <<>> aaaa test.schwer.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33371
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      AAAA

;; ANSWER SECTION:
test.schwer.us.         7200    IN      CNAME   www.schwer.us.
www.schwer.us.          7200    IN      CNAME   schwer.us.

;; AUTHORITY SECTION:
schwer.us.              7200    IN      SOA     ns1.sonic.net. hostmaster.sonic.net. 2007021302 10800 3600 1209600 86400

;; Query time: 151 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 13 16:53:16 2007
;; MSG SIZE  rcvd: 124
[augie@augnix ~]$ dig a test.schwer.us

; <<>> DiG 9.3.2 <<>> a test.schwer.us
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32017
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;test.schwer.us.                        IN      A

;; ANSWER SECTION:
test.schwer.us.         7196    IN      CNAME   www.schwer.us.
www.schwer.us.          7196    IN      CNAME   schwer.us.
schwer.us.              7200    IN      A       208.201.227.139

;; AUTHORITY SECTION:
schwer.us.              7196    IN      NS      A.AUTH-NS.SONIC.NET.
schwer.us.              7196    IN      NS      B.AUTH-NS.SONIC.NET.
schwer.us.              7196    IN      NS      C.AUTH-NS.SONIC.NET.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 13 16:53:20 2007
;; MSG SIZE  rcvd: 145
@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Replying to [ticket:125 anon]:

Along the same lines as #124 if PowerDNS does not have the query record, but does have
a wild card for the domain, then it will give NOERROR and the wild card info. that it has.

This is in direct violation of the RFCs. Since the name exists (albeit with different RR types), the wildcard should not match.

RFC 1034, 4.3.3. "Wildcards":

Wildcard RRs do not apply:
...

  • When the query name or a name between the wildcard domain and
    the query name is know to exist.

And see RFC 4592 for a more formal description.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
This is fixed in r1081 .

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
This bug is back in 2.9.21.1 :

*.usenetbinaries.com. 7200 IN CNAME www.usenetbinaries.com.

[augie@augnix ~]$ dig +norecurse aaaa admin.usenetbinaries.com @a.auth-ns.sonic.net +short

www.usenetbinaries.com.

usenetbinaries.com.

[augie@augnix ~]$ dig +norecurse a admin.usenetbinaries.com @a.auth-ns.sonic.net +short

208.201.228.99

If you run a cacheing name server locally and the resolver routine asks for a AAAA first you will cache the incorrect wild-card answer.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Oops, I mistakenly thought that 2.9.21.1 was the latest out of SVN, but it's just a re-release of 2.9.21 with a specific fix, so my previous bug re-opening this is invalid.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
I've run into an error (found out the hard way sigh) - and it seems to have been the problem described here, which is fixed since more than a year but hasn't had any release afterwards :-( Looks like a quite grave bug to me. Any chance to get an update released?

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
Behaviour in current SVN head (r2296) appears correct. Closing as fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment