New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API allows OPT RRsets to be created #6441

Closed
peterthomassen opened this Issue Apr 3, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@peterthomassen
Contributor

peterthomassen commented Apr 3, 2018

  • Program: Authoritative
  • Issue type: Bug report

Short description

PowerDNS allows the creation of OPT RRsets via the API (and supposedly via AXFR), which then end up in the records table, although OPT is not a valid RRset type.

As a consequence, other functionality breaks down. I have tested this only with a DNSSEC-enabled domain whose AXFR used to have 173 lines; the AXFR length is now wildly varying. I got the following sequence of line numbers using dig | wc -l: 122, 98, 86, 168, 127, 134, 87, 98

Environment

  • Operating system: Linux
  • Software version: 4.1.1
  • Software source: PowerDNS repository

Steps to reproduce

  1. Create an OPT RRset via the API (or, presumably, by hand in the database, or by incoming AXFR). It may be required to have DNSSEC enabled.
  2. Compare AXFR before and after

Expected behaviour

When an OPT RRset comes in via API, it should not be created (invalid type error).
The same should happen for OPT in an incoming AXFR.

Actual behaviour

OPT RRset is created, resulting in issues e.g. with AXFR

Other information

Whether record creation succeeds depends on the record content. 9999 is a working example.

Error examples:

  • BIO_read failed to read all data from memory buffer is caused by content 9.
  • All data was not consumed seems to appear when the content begins with ".

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 3, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441
@zeha

This comment has been minimized.

Collaborator

zeha commented Apr 3, 2018

The BIO_read thing is extra weird. Can you show us the full request body for that?

@peterthomassen

This comment has been minimized.

Contributor

peterthomassen commented Apr 3, 2018

{"rrsets": [{"name": "opt4.asfewrjoiw.dedyn.io.", "type": "OPT", "ttl": 32, "changetype": "REPLACE", "records": [{"content": "9", "disabled": false}]}]}

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 3, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 3, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 4, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 4, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 11, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 13, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue Apr 19, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue May 3, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441

peterthomassen added a commit to desec-io/desec-stack that referenced this issue May 3, 2018

fix(api): disallow tinkering with OPT RRset
OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: PowerDNS/pdns#6441
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment