New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLSA answer section incorrectly repeats domain twice. #59

Closed
jeffersoncarpenter opened this Issue Jan 6, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@jeffersoncarpenter

jeffersoncarpenter commented Jan 6, 2018

My name (d/aoeu2code) has the following JSON value:

{
  "map": {
    "ns": {
      "ns": "ns.aoeu2code.com."
    },
    "www": {
      "alias": "ns",
      "map": {
        "_tcp": {
          "map": {
            "_443": {
              "tls":[{
                "d8":[
                  1,
                  "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERPI4mIroqmBLHEQv/IKRixtlQjb32z8bvrNNIzXSxZaIHUysnk6ZDvPygIr22L6jjgQ2b7XIdotr8TPDXDruKQ==",
                  4944096,
                  5259456,
                  10,
                  "MEYCIQDBZlVZiM/qYdxcQ6DcFhoQDBlFOjMXBDBz8UB4mXzNAwIhAM/d5xSLf9Pj1HaZ5DMD+NZJCuh+C8JIYJDo6yljgsyw"
                ]
              }]
            }
          }
        }
      }
    }
  }
}

So basically, I've got a ns subdomain that just points to my nameserver, and the www subdomain CNAMEs over to the ns subdomain, while including the TLSA info under _443._tcp.

The problem is:

$ dig _443._tcp.www.aoeu2code.bit. TLSA @127.0.0.1 -p 5300

; <<>> DiG 9.10.3-P4-Debian <<>> _443._tcp.www.aoeu2code.bit. TLSA @127.0.0.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51574
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_443._tcp.www.aoeu2code.bit.	IN	TLSA

;; ANSWER SECTION:
_443._tcp.www.aoeu2code.bit._443._tcp.www.aoeu2code.bit. 600 IN	TLSA 3 0 0 308201D63082017BA003020102021351CA8DE71E424851913274603F BBB669E26CE2300A06082A8648CE3D0403023040311B301906035504 0313127777772E616F657532636F64652E6269742E3121301F060355 040513184E616D65636F696E20544C53204365727469666963617465 301E170D3137303130313030303030305A170D323030313031303030 3030305A3040311B3019060355040313127777772E616F657532636F 64652E6269742E3121301F060355040513184E616D65636F696E2054 4C532043657274696669636174653059301306072A8648CE3D020106 082A8648CE3D0301070342000444F238988AE8AA604B1C442FFC8291 8B1B654236F7DB3F1BBEB34D2335D2C596881D4CAC9E4E990EF3F280 8AF6D8BEA38E04366FB5C8768B6BF133C35C3AEE29A3543052300E06 03551D0F0101FF04040302078030130603551D25040C300A06082B06 010505070301300C0603551D130101FF04023000301D0603551D1104 16301482127777772E616F657532636F64652E6269742E300A06082A 8648CE3D0403020349003046022100C166555988CFEA61DC5C43A0DC 161A100C19453A3317043073F14078997CCD03022100CFDDE7148B7F D3E3D47699E43303F8D6490AE87E0BC2486090E8EB296382CCB0

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Sat Jan 06 15:43:38 CST 2018
;; MSG SIZE  rcvd: 573

In other words, NCDNS reports the TLSA record as belonging to _443._tcp.www.aoeu2code.bit._443._tcp.www.aoeu2code.bit. - even though the domain that was queried for is _443._tcp.www.aoeu2code.bit..

I did go (ha) ahead and comment out h.Name += suffix and h.Name = suffix at the end of func (v *Value) RRs in convert.go, which fixed this problem for me.

JeremyRand added a commit that referenced this issue Mar 28, 2018

Merge #60: Fix rehydrated TLSA records served over DNS
dba4ce7 Fix erroneous duplication of domain name in TLSA records served over DNS. (JeremyRand)
cb6bcea Fix erroneous trailing period in x509 certificates served over DNS. (JeremyRand)

Pull request description:

  Fixes #59, as well as a different bug that broke the same functionality as #59.

Tree-SHA512: 54b2aba1368bf0c19735e773453141be40cd8fb7403b69932c21a60ed5d8b6cce255b61a756fb1745a338901bbc5d86e26387d1375216e6a88b691d3ae25e4d3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment