BIND 10 #75: auth server: incorrect handling with wildcard matching

BIND 10 Development do-not-reply at isc.org
Fri Jul 2 02:31:06 UTC 2010 

#75: auth server: incorrect handling with wildcard matching
----------------------+-----------------------------------------------------
 Reporter:  jinmei    |        Owner:  each                                          
     Type:  defect    |       Status:  reviewing                                     
 Priority:  major     |    Milestone:  05. 3rd Incremental Release: Serious Secondary
Component:  b10-auth  |   Resolution:                                                
 Keywords:            |    Sensitive:  0                                             
----------------------+-----------------------------------------------------

Comment(by each):

 I may be confused about which case we're talking about here, but let me go
 over my understanding of negative wildcard answers, and you tell me where
 you disagree.  (It's very possible I have something wrong.)

 We have:
     *.wild.example A 192.0.2.2
     *.wilder.example CNAME www.example
     *.wildest.example CNAME spork.example
     www.example A 192.0.2.1

 ...and spork.example doesn't exist.

 Query for: foo.wild.example/A
 Returns: foo.wild.example/A
          *.wild.example/NSEC
 Because: NSEC record proves original qname doesn't exist

 Query for: foo.wild.example/AAAA
 Returns: NOERROR/NODATA
          example/SOA
          *.wild.example/NSEC
 Because: NSEC record proves *.wild.example has no AAAA
          SOA claims authority for negative answer

 Query for: foo.wilder.example/A
 Returns: foo.wilder.example/CNAME
          www.example/A
          *.wild.example/NSEC
 Because: NSEC record proves foo.wilder.example does not exist

 Query for: foo.wilder.example/AAAA
 Returns: foo.wilder.example/CNAME
          *.wilder.example/NSEC
          <covering NSEC for www.example>
          example/SOA
 Because: First NSEC proves foo.wilder.example doesn't exist
          Second NSEC proves www.example has no AAAA
          SOA claims authority for negative answer

 Query for: foo.wildest.example/A
 Returns: foo.wildest.example/CNAME
          *.wildest.example/NSEC
          <covering NSEC for spork.example>
          example/NSEC
          example/SOA
 Because: First NSEC proves foo.wildest.example doesn't exist
          Second NSEC proves spork.example doesn't exist
          Third NSEC proves *.example doesn't exist
          SOA claims authority for negative answer.

 Query for foo.wildest.example/AAAA is the same as foo.wildest.example/A.

 My understanding was that your query matched the fourth case, above --
 wildcard pointing to CNAME, but no type match.  If you only got one NSEC
 record, then if I'm correct in my understanding of the protocol, then BIND
 9 was misbehaving.  I'm told by Mark that BIND 9 did have this exact bug
 at some point (though 9.7 definitely doesn't).

 On re-reading, I think your query was really the second case -- wildcard
 match, type mismatch, no CNAME.  In that case there should be a single
 NSEC, as you noted.

 I think with this fix, BIND 10 handles all of the above cases correctly.

-- 
Ticket URL: <http://bind10.isc.org/ticket/75#comment:14>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list