BIND 10 #551: wildcard handling for memory zone: find (main cases)
BIND 10 Development
do-not-reply at isc.org
Wed Feb 16 19:33:14 UTC 2011
#551: wildcard handling for memory zone: find (main cases)
-------------------------------------+-------------------------------------
Reporter: jinmei | Owner: jinmei
Type: | Status: reviewing
enhancement | Milestone: A-Team-
Priority: major | Sprint-20110223
Component: data | Resolution:
source | Sensitive: 0
Keywords: | Add Hours to Ticket: 0
Estimated Number of Hours: 8.0 | Total Hours: 0
Billable?: 1 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
Replying to [comment:9 vorner]:
> > - as for the note about RRSIG:
> > {{{
> > // TODO What about signatures? If we change the name, it
would be
> > // wrong anyway...
> > }}}
> > I wouldn't worry about it for now. My expectation is that the
> > protocol wise consideration for wildcard + RRSIG will be naturally
> > implemented.
>
> Should I remove it? It crossed my mind at the time, so I marked the
place where the original signature is lost. I didn't really worry about
it.
It's up to you, but I'd leave it as a note.
>
> > - I guess we should generalize the RDATA check in
> > lib/testutils/. (but that would better be deferred to a separate
> > task)
>
> Another task to backlog?
Yes, I think so.
> > - emptyWildcard should check 'wild.bar.foo.example.org' doesn't
match.
> > - nestedEmptyWildcard should test match and unmatch cases:
> > - baz.foo.*.bar.example.org (should match)
> > - baz.foo.baz.bar.example.org (should not match)
> > - *.foo.baz.bar.example.org (should not match)
>
> I take by doesn't match you mean NXDOMAIN, right? Because that fails and
I think it should return NXRRSET, not NXDOMAIN. I reason this way:
>
> While the RFC recommends not having RRset with multiple * in the name,
it doesn't forbid it. However, if we load wild.*.foo.example.org, then the
*.foo.example.org domain exists as empty nonterminal domain. Therefore we
should match against that one (with *=wild.bar) and return NXRRSET,
because that domain is empty.
>
> Similarly with the baz.foo.baz.bar.example.org and
*.foo.baz.bar.example.org.
>
> Is there a problem in the reasoning?
Yes, there's a problem. By matching wild.bar.foo.example.org against
wild.*.foo.example.org. (resulting in NXRRSET), you substitute a label
for '*' not located in the first label of the name (in this example
it's the second label). RFC doesn't allow such matching:
<quote>
The owner name of the wildcard RRs is of
the form "*.<anydomain>", where <anydomain> is any domain name.
</quote>
> Anyway, as BIND9 rejects loading such thing (as you mentioned), this
explanation doesn't go against it. And the algorithm that you described
works this way as well.
BIND9 rejects (loading) it *by default*. You can override the
behavior by adding the following to 'options':
{{{
options {
...
check-names master ignore;
};
}}}
NSD (more accurately its zonec utility) also allows it.
For corner case scenarios like this, I normally check what other
implementations do, not only for BIND 9 but also at least one other
non ISC server (often NSD, sometimes powerdns also). I'd suggest this
practice to you.
Note: I've not checked the revised (if it's been revised) code yet.
--
Ticket URL: <http://bind10.isc.org/ticket/551#comment:10>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list