Bug 759

Summary: CISCO DNS guard PTR 0x20 lowercasing
Product: unbound Reporter: Wolfgang Breyha <wbreyha>
Component: serverAssignee: unbound team <unbound-team>
Severity: enhancement CC: cathya, wouter
Priority: P5    
Version: 1.5.8   
Hardware: x86_64   
OS: Linux   

Description Wolfgang Breyha 2016-04-27 11:46:32 CEST
This is not a direct unbound bug, but maybe you can take care of/work around this CISCO bug...

If a CISCO ASA/PIX... with active "DNS guard" *sigh* is inbetween DNS client and server while the client uses Draft 0x20 camelcasing the CISCO device lowercases all .iN-AdDr.ArPa PTR requests (at least, maybe answers as well). And *only* PTR. Usual A RR lookups work as expected, to make detection and debugging of the problem a "worst case scenario".

After the legendary "SMTP fixups" this is another major fail.

Even if CISCO fixes this anytime soon (what is unlikely IMVHO) it will take ages until most devices are fixed.

If unbound can implement a workaround for it maybe with notification to the logfile this would help detecting such devices.

Currently if unbound is the client and has 
use-caps-for-id: yes
active, most of the PTR lookups result in SERVFAIL, because unbound does not accept the lowercased response.

We'll try to make CISCO aware of this bug as well, but...

PS: We did not check .ip6.arpa before disabling DNS guard.
Comment 1 Wouter Wijngaards 2016-04-28 09:25:34 CEST
Hi Wolfgang,

Implemented fix, for type PTR it does not check 0x20 match if 0x20 is enabled.  That should reduce the number of false 0x20 failures.

Best regards, Wouter