Bug 95 - screwy wildcard case
screwy wildcard case
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
2.2.x
All other
: P2 minor
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-08 22:08 CET by ed lewis
Modified: 2005-02-09 13:36 CET (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ed lewis 2005-02-08 22:08:41 CET
For zones:

Edward-Lewis-Computer:/etc/nsd root# cat zone
$TTL 900
@       IN      SOA     ns0.example. ed.lewis.neustar.biz. (
                        1       ;serial number
                        1200    ;refresh time (20 min)
                        300     ;retry time (5 min)
                        3600    ;expire time (1 hour)
                        900 )   ;minimum time (15 minutes)

                NS      ns0.example.net.

*               NS      ns0.example.net.
Edward-Lewis-Computer:/etc/nsd root# cat zone-star 
$TTL 900
@       IN      SOA     ns2.example. ed.lewis.neustar.biz. (
                        1       ;serial number
                        1200    ;refresh time (20 min)
                        300     ;retry time (5 min)
                        3600    ;expire time (1 hour)
                        900 )   ;minimum time (15 minutes)

                NS      ns0.example.net.
                NS      ns1.example.net.

www             TXT     "www.*.example."

And conf file:
Edward-Lewis-Computer:/etc/nsd root# cat nsd.zones
; zone  name            filename                [ masters/notify ip-address ]
zone    example.        zone
zone    *.example.      zone-star

I see this wrong answer:

Edward-Lewis-Computer:~/Documents/DNS/nsd-sources/nsd-2.2.0 edlewis$ dig @127.0.0.1 
www2.\*.example. txt

; <<>> DiG 9.3.0 <<>> @127.0.0.1 www2.*.example. txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45366
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www2.*.example.                        IN      TXT

;; AUTHORITY SECTION:
*.example.              900     IN      SOA     ns2.example. ed.lewis.neustar.biz. 1 1200 300 3600 900

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb  8 16:05:35 2005
;; MSG SIZE  rcvd: 92

The response ought to be NXDOMAIN from *.example.

(*.example matches *.example as in RFC 1034, 4.3.2, 3.b, not 3.c.)
Comment 1 Erik Rozendaal 2005-02-09 10:42:58 CET
For every owner name NSD keeps track of its wildcard child owner name.  If an owner name does not 
have a wildcard child, the closest match is used (closest is based on the canonical ordering required by 
DNSSEC). Initially, the wildcard child is set to the owner itself.  So if a zone contains the following 
owner names:

example
*.example
www.*.example
\045.www.*.example

The wildcard child for each owner is:

example --> *.example (a real wildcard child)
*.example --> *.example (not a child, so not a wildcard child)
www.*.example --> \045.www.*.example (a child, but first label is not "*", so not a wildcard child)
\045.www.*.example --> \045.www.*.example (not a child, so not a wildcard child)

To check if an owner name has a wildcard child, NSD looks at the owner name of the wildcard child.  If 
it starts with a "*" label, it is a wildcard.  Unfortunately, this is not correct for the *.example case above.  
It does start with a "*" label, but it is not the wildcard child ("*.*.example" would be the wildcard child).

So to fix this bug the "domain_wildcard_child" function needs to be modified to also check that the 
wildcard child closest match is really a child.

Erik
Comment 2 Erik Rozendaal 2005-02-09 13:36:55 CET
Fixed in CVS 2.2.x branch.