search

Badcow / DNS

The aim of this project is to create abstract object representations of DNS records in PHP. The project consists of various classes representing DNS objects (such as Zone, ResourceRecord, and various RData types), a parser to convert BIND style text files to the PHP objects, and builders to create aesthetically pleasing BIND records.
MIT License
259 stars 38 forks source link

Derived record name not supported #107

Closed tomsommer closed 2 years ago

tomsommer commented 2 years ago

When parsing the attached example, a TLSA record named _25._tcp.example.com is not returned

_25._tcp.example.com. 43200 IN NSEC _443._tcp.example.com. RRSIG NSEC TLSA
43200 RRSIG NSEC 5 5 43200 (
20220306072900 20220204072900 23262 example.com.
aUbjBXyihDOA28Si5rBZ3OkV9QyzhnT5E3JT
/D30m1TPyJ1yTpo8mvY0jUclxfNnODN4ug49
9YI5UDjFLY1bjg== )
360 TLSA 3 1 1 (
01CA21026A705F21E7D0745849509B7C3F4D
F6862BC422475E0585E4C074A237 )
360 RRSIG TLSA 5 5 360 (
20220306072900 20220204072900 23262 example.com.
bTgf9yyfTe+Vcb/5AV73z42cZBXbLe0i+TOV
baol0gKslEWccsT68FwSaxKWdtKG+joWM6G6
4K2c0meRHONa8A== )

It appears 360 is parsed as the RR name

Documented here: https://stackoverflow.com/questions/70987780/hostnameless-records-in-zonefile

leifnel commented 2 years ago

in lib/Parser/Parser.php#L365

Only the first token should be tested for isTTL. isCLlass or isType If either is true, reuse the $this->lastStatedDomain, else first token is the new Domain.

Currently the first token is taken as a ResourceName if the next token is isTTL. isCLlass or isType

samuelwilliams commented 2 years ago

Thank you for your issue - I have created a failing test case on branch issue-107

I will investigate further.

samuelwilliams commented 2 years ago

I just ran your example through named-compilezone and it appears to parse the TTLs as resource names as well...

example.com.                                  3600 IN SOA       example.com. post.example.com. 2014110501 3600 14400 604800 3600
example.com.                                  3600 IN NS        ns1.nameserver.com.
360.example.com.                              3600 IN TLSA      3 1 1 01CA21026A705F21E7D0745849509B7C3F4DF6862BC422475E0585E4 C074A237
360.example.com.                              3600 IN RRSIG     TLSA 5 5 360 20220306072900 20220204072900 23262 example.com. bTgf9yyfTe+Vcb/5AV73z42cZBXbLe0i+TOVbaol0gKslEWccsT68FwS axKWdtKG+joWM6G64K2c0meRHONa8A==
; resign=20220306072900
43200.example.com.                            3600 IN RRSIG     NSEC 5 5 43200 20220306072900 20220204072900 23262 example.com. aUbjBXyihDOA28Si5rBZ3OkV9QyzhnT5E3JT/D30m1TPyJ1yTpo8mvY0 jUclxfNnODN4ug499YI5UDjFLY1bjg==
; resign=20220306072900
_25._tcp.example.com.                         43200 IN NSEC     _443._tcp.example.com. RRSIG NSEC TLSA

**Note that I had to add SOA and NS records so that it would parse.

So this is the way that BIND will see this particular record - I usually go with "What would BIND do?" as my mantra for developing this library.

This would also be the behaviour you want in something like a PTR record, for example:

$ORIGIN 1.168.192.IN-ADDR.ARPA.
42 PTR doug.adams.com.

Out of interest, what produced the example zone?

tomsommer commented 2 years ago

The export function at gratisdns.dk produces the output.

Unsure what generates it, but it might be powerdns or something? I doubt the dump itself is homemade.

Top of the dump states ; dnssec_signzone version 9.12.1-P2

samuelwilliams commented 2 years ago

Closing issue as this behaviour is consistent with BIND.