Bug 759 - CISCO DNS guard PTR 0x20 lowercasing
CISCO DNS guard PTR 0x20 lowercasing
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.5.8
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 11:46 CEST by Wolfgang Breyha
Modified: 2016-04-28 09:25 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Breyha 2016-04-27 11:46:32 CEST
This is not a direct unbound bug, but maybe you can take care of/work around this CISCO bug...

If a CISCO ASA/PIX... with active "DNS guard" *sigh* is inbetween DNS client and server while the client uses Draft 0x20 camelcasing the CISCO device lowercases all .iN-AdDr.ArPa PTR requests (at least, maybe answers as well). And *only* PTR. Usual A RR lookups work as expected, to make detection and debugging of the problem a "worst case scenario".

After the legendary "SMTP fixups" this is another major fail.

Even if CISCO fixes this anytime soon (what is unlikely IMVHO) it will take ages until most devices are fixed.

If unbound can implement a workaround for it maybe with notification to the logfile this would help detecting such devices.

Currently if unbound is the client and has 
use-caps-for-id: yes
active, most of the PTR lookups result in SERVFAIL, because unbound does not accept the lowercased response.

We'll try to make CISCO aware of this bug as well, but...

PS: We did not check .ip6.arpa before disabling DNS guard.
Comment 1 Wouter Wijngaards 2016-04-28 09:25:34 CEST
Hi Wolfgang,

Implemented fix, for type PTR it does not check 0x20 match if 0x20 is enabled.  That should reduce the number of false 0x20 failures.

Best regards, Wouter