dig +sigchase looping

Mark Andrews marka at isc.org
Mon Feb 24 21:57:08 UTC 2014 

SIGCHASE is a external contribution that is provide "as is" to dig.
The reason that you have to explicitly define it is that ISC hasn't
fully gone through the code to find bugs like this in it and it
basically needs a full re-write.  That said it does mostly work and
is better than nothing.

This will be two loops over the same rdataset content using the
same rdataset structure resulting in the inner loop affecting the
outer loop.  The fix will be to clone that rdataset before looping
over it a second time.  Finding it won't be so easy as there are a
mixture of local and global references to rdatasets.  The first
step will probably to find and fix all the instances of code like:

	dns_rdataset_first(rdataset)
	do {
	} while (dns_rdataset_next(global_rdataset) == ISC_R_SUCCESS);

Then to use local clones of rdataset so inner loops don't affect
outer loops making sure to disassociate before returning.

	dns_rdataset_t myrdataset;

	dns_rdataset_init(&myrdataset);
	dns_rdataset_clone(rdataset, &myrdataset);
	rdataset = &myrdataset;

	....
	dns_rdataset_first(rdataset)
	do {
		....
		if (....) {
			dns_rdataset_disassociate(rdataset);
			return(...);
		}
	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
	....
	
	dns_rdataset_disassociate(rdataset);

Mark

In message <CF30C95B.14D22%ray.walker at nau.edu>, Raymond Drew Walker writes:
> 
> I have verified that this also happens intermittently with dig in BIND 9.9.=
> 5 built/configured with:
> 
> STD_CDEFINES=3D"-DDIG_SIGCHASE=3D1"
> export STD_CDEFINES
> ./configure --enable-threads --enable-largefile
> =97
> Raymond Walker
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
> 
> From: Ray Walker <ray.walker at nau.edu<mailto:ray.walker at nau.edu>>
> Date: Friday, February 21, 2014 at 4:28 PM
> To: "bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>" <bind-users=
> @lists.isc.org<mailto:bind-users at lists.isc.org>>
> Subject: dig +sigchase looping
> 
> I=92m experiencing an interesting issue where sometimes when performing a s=
> igchase on a valid signed zone the command loops indefinitely when an expir=
> ed RRSIG exists:
> 
> Live example:
> dig +sigchase +trusted-key=3D./trusted.keys aa.nau.edu A
> 
> Notes:
> There is currently a valid RRSIG for this zone.
> dig compiled with -DDIG_SIGCHASE=3D1
> BIND 9.9.4
> 
> Roughly %50 of the time it returns as expected, while other times looping i=
> n such a fashion:
> 
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> 
> Any particular reason this should be expected or is it bug worthy (or fixed=
>  in 9.9.5, as I didn=92t see anything in the change log referring to it)?
> =97
> Raymond Walker
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
> 
> --_000_CF30C95B14D22raywalkernauedu_
> Content-Type: text/html; charset="Windows-1252"
> Content-ID: <3FD38CC225294D4E9F862B294DFD33DC at iris.nau.edu>
> Content-Transfer-Encoding: quoted-printable
> 
> <html>
> <head>
> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
> 252">
> </head>
> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
> e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
> ly: Calibri, sans-serif;">
> <div>
> <div>
> <div>I have verified that this also happens intermittently with dig in BIND=
>  9.9.5 built/configured with:</div>
> <div><br>
> </div>
> <div>
> <div>STD_CDEFINES=3D"-DDIG_SIGCHASE=3D1"</div>
> <div>export STD_CDEFINES</div>
> <div>./configure --enable-threads --enable-largefile</div>
> </div>
> <div>
> <div>=97</div>
> <div>Raymond Walker</div>
> <div>
> <div>Software Systems Engineer StSp.</div>
> <div>ITS - Northern Arizona University</div>
> </div>
> </div>
> </div>
> </div>
> <div><br>
> </div>
> <span id=3D"OLK_SRC_BODY_SECTION">
> <div style=3D"font-family:Calibri; font-size:11pt; text-align:left; color:b=
> lack; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM:=
>  0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;=
>  BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
> <span style=3D"font-weight:bold">From: </span>Ray Walker <<a href=3D"mai=
> lto:ray.walker at nau.edu">ray.walker at nau.edu</a>><br>
> <span style=3D"font-weight:bold">Date: </span>Friday, February 21, 2014 at =
> 4:28 PM<br>
> <span style=3D"font-weight:bold">To: </span>"<a href=3D"mailto:bind-us=
> ers at lists.isc.org">bind-users at lists.isc.org</a>" <<a href=3D"mailto=
> :bind-users at lists.isc.org">bind-users at lists.isc.org</a>><br>
> <span style=3D"font-weight:bold">Subject: </span>dig +sigchase looping<=
> br>
> </div>
> <div><br>
> </div>
> <div>
> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
> -break: after-white-space;">
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> I=92m experiencing an interesting issue where sometimes when performing a s=
> igchase on a valid signed zone the command loops indefinitely when an expir=
> ed RRSIG exists:</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <br>
> </div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> Live example:</div>
> <div><font face=3D"Calibri,sans-serif">dig +sigchase +trusted-key=
> =3D./trusted.keys aa.nau.edu A</font></div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <br>
> </div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> Notes:</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> There is currently a valid RRSIG for this zone.</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> dig compiled with -DDIG_SIGCHASE=3D1</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> BIND 9.9.4</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <br>
> </div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> Roughly %50 of the time it returns as expected, while other times looping i=
> n such a fashion:</div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <br>
> </div>
> <div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> <div><font face=3D"Calibri,sans-serif">;; OK a DS valids a DNSKEY in the RR=
> set</font></div>
> <div><font face=3D"Calibri,sans-serif">;; Now verify that this DNSKEY valid=
> ates the DNSKEY RRset</font></div>
> <div><font face=3D"Calibri,sans-serif">;; VERIFYING DNSKEY RRset for aa.nau=
> .edu. with DNSKEY:25159: RRSIG has expired</font></div>
> </div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <br>
> </div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> Any particular reason this should be expected or is it bug worthy (or fixed=
>  in 9.9.5, as I didn=92t see anything in the change log referring to it)?</=
> div>
> <div style=3D"color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-s=
> ize: 14px;">
> <div>=97</div>
> <div>Raymond Walker</div>
> <div>
> <div>Software Systems Engineer StSp.</div>
> <div>ITS - Northern Arizona University</div>
> </div>
> </div>
> </div>
> </div>
> </span>
> </body>
> </html>
> 
> --_000_CF30C95B14D22raywalkernauedu_--
> 
> --===============5278526947618159597==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============5278526947618159597==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list