Bug 77 - Nsd doesn't check the length of domain labels
Nsd doesn't check the length of domain labels
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: Zonec Code
1.2.0
All All
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-27 18:49 CET by Markus Heimhilcher
Modified: 2004-02-02 16:37 CET (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Heimhilcher 2004-01-27 18:49:46 CET
I recently tested how various name server software responds to domain labels 
that are longer than 63 characters. Unfortunately nsd did not report any errors
in my test records, which were:

;
; Zonefile:
;
$ORIGIN at.
test IN A 127.3.2.1
testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest
testtesttesttesttesttesttesttesttest IN TXT "test"
foofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofo
ofoofoofoo.at. IN A 127.1.2.3
barbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarbarba
rbarbarbar.at. IN NS ns1.foobar.at

This is what named-checkzone says to that zonefile:

#named-checkzone at hosts2
dns_master_load: hosts2:29: label too long
dns_master_load: hosts2:29: syntax error
dns_master_load: hosts2:29: syntax error
dns_master_load: hosts2:30: label too long
dns_master_load: hosts2:31: label too long
zone at/IN: loading master file hosts2: label too long


This is what zonec says to the same file:

#zonec -v nsd.zones
zonec: reading zone "at.": 0 errors
zonec: writing zone "at.": done.
zonec: done with total 0 errors.

(with only one entry in nsd.zones)


After loading this file to nsd, queries for valid domain names are possible:

dig @localhost test.at.
(...)
;; QUESTION SECTION:
;test.at.                       IN      A

;; ANSWER SECTION:
test.at.                345600  IN      A       127.3.2.1
(...)

Dig refuses to query the longer labels: "xxx is not a legal name (label too 
long)". But the domains can be retrieved by asking nsd for a zone transfer:

#dig @localhost at axfr
(...)
;; Got bad packet: bad label type
133 bytes
88 5e 80 00 00 00 00 01 00 00 00 00 5a 62 61 72 
62 61 72 62 61 72 62 61 72 62 61 72 62 61 72 62 
61 72 62 61 72 62 61 72 62 61 72 62 61 72 62 61 
72 62 61 72 62 61 72 62 61 72 62 61 72 62 61 72 
62 61 72 62 61 72 62 61 72 62 61 72 62 61 72 62 
61 72 62 61 72 62 61 72 62 61 72 62 61 72 62 61 
72 62 61 72 62 61 72 02 61 74 00 00 02 00 01 00 
05 46 00 00 10 03 6e 73 31 06 66 6f 6f 62 61 72 
02 61 74 c0 67 


I did my tests with the newest available release version nsd-1.2.4. The tests 
were run on AIX 5.1, but FreeBSD 5.1 shows the same behaviour.
Comment 1 Miek Gieben 2004-01-27 19:42:50 CET
The zone compiler just compiles a zone. Very little checking is done: Bogus
in/bogus out. One of the preferred ways to check a zone is just what you did,
check it with 'named-checkzone' and then compile and load it.

Comment 2 Miek Gieben 2004-02-02 16:37:44 CET
Fixed in nsd2.0.0