Bug 302 - nsd accepts invalid zone over AXFR; nsdc patch/rebuild subsequently fails
nsd accepts invalid zone over AXFR; nsdc patch/rebuild subsequently fails
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
3.2.x
All All
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-22 19:09 CET by Erik Romijn
Modified: 2011-03-25 09:07 CET (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Romijn 2010-03-22 19:09:17 CET
BASIC DESCRIPTION

If NSD is set up as slave, and receives a zone with invalid records, it will accept it.
However, a subsequent `nsdc patch` will write the invalid records to a zone file. Any `nsdc rebuild` will then fail because the zone file contains invalid records.

This is a problem where the master is e.g. a tinydns server. Tinydns does not do syntax checking, so it is possible for an operator to add invalid records. The NSD slave will be able to host the zone, but after running a patch, all rebuilds will fail until the offending zone file is removed. So, it will no longer be possible to even update a completely unrelated zone.


HOW TO REPRODUCE

Add something like this snippet to an NSD server:
        zone:
                name: "example.com"
                zonefile: "example.com.zone"
                allow-notify: 127.0.0.1 NOKEY
                allow-notify: 89.188.0.34 NOKEY
                request-xfr: AXFR 89.188.0.34 NOKEY

That server runs tinydns with a very small zone named example.com. It has an MX and a CNAME record for "invalid.example.com", which is clearly not allowed.

After reloading and waiting for the zone transfer, the NSD instance should be authoritative for the zone, like any other slave zone.

Then, run `nsdc patch`, and it will choke on the invalid record, which was written to the zone file. An `nsdc rebuild` will now also fail.


SUGGESTED FIX

NSD could:
- reject a secondary zone with invalid records, or
- skip saneness checking of zone files for secondary zones, or
- skip zones with invalid records in `nsdc patch`
Comment 1 Wouter Wijngaards 2010-03-23 14:11:23 CET
Hi,

Yes this is true.  There is no way for NSD to detect the trouble during the transfer itself (it could be a complicated IXFR).  We would change it from a fatal error to load these sorts of zones to a warning.

Best regards,  Wouter
Comment 2 Wouter Wijngaards 2011-03-25 09:07:54 CET
Hi Erik,

Bug is fixed, for slave zones they are warnings and not fatal errors for zonec.  This version is in svn under branches/NSD_3_2

Best regards, Wouter