BIND 10 #75: auth server: incorrect handling with wildcard matching
BIND 10 Development
do-not-reply at isc.org
Fri Jul 2 00:06:08 UTC 2010
#75: auth server: incorrect handling with wildcard matching
----------------------+-----------------------------------------------------
Reporter: jinmei | Owner: each
Type: defect | Status: reviewing
Priority: major | Milestone: 05. 3rd Incremental Release: Serious Secondary
Component: b10-auth | Resolution:
Keywords: | Sensitive: 0
----------------------+-----------------------------------------------------
Changes (by jinmei):
* owner: jinmei => each
Comment:
Replying to [comment:9 each]:
> > Not looking at the code, but this doesn't seem to be fixed. If I ask
foo.wild2.jinmei.org/AAAA (qname matches *.wild2.jinmei.org, but it
doesn't have AAAA) the response is:
>
> Interestingly, Jinmei seems to have found mistakes in both BIND 9 and
BIND 10 here. BIND 9 should have included two NSEC records, not one.
BIND 10 should have included an SOA record.
>
> I have a proposed fix in r2280. This also fixes a few unit tests that
were written based on my incorrect understanding of the "correct
behavior".
>
> Please review.
Before looking into the code I have a question. Do you mean, by "BIND 9
should have included two NSEC records", we should return two NSECs in the
authority section if we have *.wild2.jinmei.org/A (but no AAAA) and we're
asked for foo.wild2.jinmei.org/AAAA, and the patch tries to do so?
If so, I don't think it's the correct behavior (and I believe BIND 9
behaves correctly) because this is not an NXDOMAIN case.
*.wild2.jinmei.org/NSEC should prove both that there's a matching name
(wildcard) and that there's no AAAA of that name. For that matter NSD
behaves same as BIND 9 in this case.
Please clarify.
--
Ticket URL: <http://bind10.isc.org/ticket/75#comment:13>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list