Bug 553 - Nsd has problems in TXT record parser
Nsd has problems in TXT record parser
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.0.x
All Linux
: P5 major
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-08 22:02 CET by Pavel Odintsov
Modified: 2014-08-26 11:18 CEST (History)
3 users (show)

See Also:


Attachments
Buggy domain zone (742 bytes, application/octet-stream)
2014-02-08 22:02 CET, Pavel Odintsov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Odintsov 2014-02-08 22:02:43 CET
Created attachment 248 [details]
Buggy domain zone

Hello, folks!

I found interesting bug in NSD related with parsing TXT records generated for DKIM.

Please take a look at this fully valid zone:
cat  /etc/bind/testdkimdomain.org 
$TTL	3600
testdkimdomain.org.	IN	SOA	ns3.fastvps.ru. support.fastvps.ru. (2014020806 10800 3600 604800 86400)
testdkimdomain.org.	IN	NS	dns.fastdns24.com.
testdkimdomain.org.	IN	NS	ns2.fastvps.ru.
testdkimdomain.org.	IN	NS	ns3.fastvps.ru.
testdkimdomain.org.	IN	NS	ns4.fastvps.ru.
testdkimdomain.org.	IN	MX	10 mail
testdkimdomain.org.	IN	A	78.47.76.4
mail	IN	A	78.47.76.4
www	IN	A	78.47.76.4
mail	IN	TXT     ("v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC33ewKxBZARSAPbT96IpW/k3DgdNuFEb896eIf80HcVxWw+w2G+1sQcUjxWUSGp6yTTMEls6n7tthixidyRiE/aWOy3ic/K+927PuCy0M1ZX2QY8gVmOHJbYT3qBQ8toQrvGIer8fQqqJIzO/ATVbHxX8B/z0PsmGI2xxqCyXkOw""IDAQAB;")

This zone is fully valid (http://www.zytrax.com/books/dns/ch8/txt.html) and bind check zone tool show excellent results:
named-checkzone testdkimdomain.org  /etc/bind/testdkimdomain.org 
zone testdkimdomain.org/IN: loaded serial 2014020806
OK

But NSD 4.0.0 can't load this zone:
[1391893267] nsd[25987]: error: testdkimdomain.org:11: syntax error
[1391893267] nsd[25987]: error: zone testdkimdomain.org file testdkimdomain.org read with 1 errors

Please fix this bug :)
Comment 1 Pavel Odintsov 2014-02-08 22:25:01 CET
I tried to reproduce this bug with upstream version 4.0.1 (from Debian Jessy) with success:

[1391894621] nsd[387]: error: testdkimdomain.org:11: syntax error
[1391894621] nsd[387]: error: zone testdkimdomain.org file testdkimdomain.org read with 1 errors


If you need any additional information I can provide it with pleasure.
Comment 2 Matthijs Mekking 2014-02-10 16:10:16 CET
Hi, 

We have seen the same report on our user list. NSD expects whitespace between two strings. We are working on a fix. In the meantime, you can use a work around: 

Escape the '"' characters or add whitespace between the quotes, depending on what is actually meant.
Comment 3 Pavel Odintsov 2014-02-10 16:13:56 CET
Thank you for a fast reply :) I will check this workaround.
Comment 4 Pavel Odintsov 2014-03-18 13:35:58 CET
Hello!

Any news about this bug? :(
Comment 5 Pavel Odintsov 2014-03-18 13:55:35 CET
I checked latest release NSD 4.0.3 and this but is still exists.
Comment 6 Matthijs Mekking 2014-03-18 15:25:56 CET
Hi Pavel,

We are still working on it. In trunk and the 3.2 branch is at least code that works for your use case, but the parsing code still has some shift/reduce issues. We are trying to resolve these before we put this in a release.

Best regards,
  Matthijs
Comment 7 Sergei Mamonov 2014-06-05 07:10:23 CEST
Any news about this bug?
It seems like fixed in nsd 4 from trunk.

nsd -v
NSD version 4.0.4

nsd-checkzone testdkimdomain.org /etc/nsd/testdkimdomain.org 
zone testdkimdomain.org is ok

dig @localhost mail.testdkimdomain.org txt

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @localhost mail.testdkimdomain.org txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25536
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mail.testdkimdomain.org.	IN	TXT

;; ANSWER SECTION:
mail.testdkimdomain.org. 3600	IN	TXT	"v=DKIM1\; k=rsa\; g=*\; s=email\; h=sha1\; t=s\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC33ewKxBZARSAPbT96IpW/k3DgdNuFEb896eIf80HcVxWw+w2G+1sQcUjxWUSGp6yTTMEls6n7tthixidyRiE/aWOy3ic/K+927PuCy0M1ZX2QY8gVmOHJbYT3qBQ8toQrvGIer8fQqqJIzO/ATVbHxX8B/z0PsmGI2xxqCyXkOw" "IDAQAB\;"

;; AUTHORITY SECTION:
testdkimdomain.org.	3600	IN	NS	dns.fastdns24.com.
testdkimdomain.org.	3600	IN	NS	ns2.fastvps.ru.
testdkimdomain.org.	3600	IN	NS	ns3.fastvps.ru.
testdkimdomain.org.	3600	IN	NS	ns4.fastvps.ru.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun  5 09:09:27 2014
;; MSG SIZE  rcvd: 412
Comment 8 Matthijs Mekking 2014-06-10 09:13:55 CEST
It is fixed in both branches, but the shift/reduce conflicts remain in both versions.
Comment 9 Matthijs Mekking 2014-06-17 10:17:11 CEST
We have found the cause for the shift/reduce conflicts
Comment 10 Sergei Mamonov 2014-08-24 02:51:38 CEST
It broken again =(

nsd -v
NSD version 4.1.0

nsd-checkzone testdkimdomain.org  /etc/nsd/testdkimdomain.org
[2014-08-24 04:48:26.524] nsd-checkzone[5088]: error: /etc/nsd/testdkimdomain.org:11: syntax error
zone testdkimdomain.org file /etc/nsd/testdkimdomain.org has 1 errors
Comment 11 Wouter Wijngaards 2014-08-25 09:34:45 CEST
Hi Sergei,

There were a number of changes to the parser, and this did fix a number of bugs, but it did not make the record you complained about parse!

What we need to parse it is a space between the "a" "b" quoted elements, like this:

mail	IN	TXT     ("v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC33ewKxBZARSAPbT96IpW/k3DgdNuFEb896eIf80HcVxWw+w2G+1sQcUjxWUSGp6yTTMEls6n7tthixidyRiE/aWOy3ic/K+927PuCy0M1ZX2QY8gVmOHJbYT3qBQ8toQrvGIer8fQqqJIzO/ATVbHxX8B/z0PsmGI2xxqCyXkOw" "IDAQAB;")

So, there is a space before "IDAQAB;".

This fixes mean we can parse zones like in the link you gave, (http://www.zytrax.com/books/dns/ch8/txt.html
Note that that page includes spaces between the quoted elements, what we require.

So, BIND accepts this, but I do not think there an actual specification demanding that we be able to parse this (could not find it in RFC1034-1035).  It is also ugly.  Is it possible for you to fix the zone input here, or the thing that generated that input?  It would take pretty major surgery to make NSD parse this format (without bugs in the parser).

Best regards,
   Wouter
Comment 12 Sergei Mamonov 2014-08-26 03:32:01 CEST
It have another problem.
If TXT record have more length that 256 simbols then ispmanager split it to two block - 
"256 simbols""remaining part of string"

If we only remove couple of quotes we have error - 
[2014-08-26 04:48:02.158] nsd-checkzone[4937]: error: example.org:21: text string is longer than 255 characters, try splitting it into multiple parts
Comment 13 Wouter Wijngaards 2014-08-26 09:25:24 CEST
Hi Sergei,

Instead of removing the double quotes, add a space between those quotes.  Can you fix the ispmanager to do that for you?  sed 's/""/" "/'

Best regards, Wouter
Comment 14 Sergei Mamonov 2014-08-26 11:18:30 CEST
OK.
We will change '""' to '" "' in zone files.