BIND 10 #75: auth server: incorrect handling with wildcard matching
BIND 10 Development
do-not-reply at isc.org
Thu Apr 1 22:01:18 UTC 2010
#75: auth server: incorrect handling with wildcard matching
--------------------------+-------------------------------------------------
Reporter: jinmei | Owner: each
Type: defect | Status: assigned
Priority: major | Milestone: 03. Authoritative-only server
Component: Unclassified | Resolution:
Keywords: | Sensitive: 0
--------------------------+-------------------------------------------------
Changes (by jinmei):
* owner: jinmei => each
Comment:
Replying to [comment:5 each]:
>
> > r1317 is not 100% correct for wildcard + NXRRSET case. If it's a
DNSSEC enabled response, it should also return
*.wild2.jinmei.org/NSEC,RRSIG. It currently only returns SOA + its RRSIG.
>
> Thank you for noticing this bug. I believe it's fixed. I also added
unit tests to cover wildcard->CNAME->NXRRSET and
wildcard->CNAME->NXDOMAIN, and corrected the existing unit tests to look
for the NSEC records.
Not looking at the code, but this doesn't seem to be fixed. If I ask
foo.wild2.jinmei.org/AAAA (qname matches *.wild2.jinmei.org, but it
doesn't have AAAA) the response is:
% dig @127.0.0.1 -p 5300 foo.wild2.jinmei.org aaaa +dnssec
;; AUTHORITY SECTION:
jinmei.org. 86400 IN SOA ns.jinmei.org.
jinmei.kame.net. 2010030608 7200 3600 2592000 1200
jinmei.org. 86400 IN RRSIG SOA 5 2 86400 [...]
BIND9 returns the following, which is correct:
;; AUTHORITY SECTION:
jinmei.org. 1200 IN SOA ns.jinmei.org.
jinmei.kame.net. 2010030608 7200 3600 2592000 1200
jinmei.org. 1200 IN RRSIG SOA 5 2 86400 [...]
*.wild2.jinmei.org. 1200 IN NSEC www.jinmei.org. A RRSIG
NSEC
*.wild2.jinmei.org. 1200 IN RRSIG NSEC 5 3 1200 [...]
--
Ticket URL: <http://bind10.isc.org/ticket/75#comment:7>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list