invalid CAA RR served instead of rejected

[maroofi]

• [x] This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.
• [x] I have read and understood the 'out in the open' support policy

• Program: Authoritative, Recursor, dnsdist
• Issue type: Bug report

Short description

Hello, When I add a long CAA RR to the zone file in pdns (longer than 255 characters for 'tag'), I see that it creates a wrong RR and serve it to the client.

Environment

• Operating system: Ubuntu 24.04
• Software version: PowerDNS Authoritative Server 4.8.3
• Software source: Ubuntu repository

Steps to reproduce

Here is the content of the zone file when I run the command sudo -u pdns pdnsutil edit-zone fakedomain.fake

; Warning - every name in this file is ABSOLUTE!

$ORIGIN .

fakedomain.fake 3600    IN      SOA     ns1.fakedomain.fake hostmaster.fakedomain.fake 18 10800 3600 604800 3600

fakedomain.fake 3600    IN      A       4.5.6.7

fakedomain.fake 3600    IN      NS      ns1.fakedomain.fake

fakedomain.fake 3600    IN      CAA     1 issuewilddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddkkkkdddddddddddddddddddddddddddaaaa

ns1.fakedomain.fake     3600    IN      A       1.2.3.4

Now if I query with dig: dig @127.0.0.1 -p 5300 fakedomain.fake caa Here is the output:

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @127.0.0.1 -p 5300 fakedomain.fake caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48637
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f7ab1e56dfdf551f0100000066bb690e20f1b09918f7c6e7 (good)
;; QUESTION SECTION:
;fakedomain.fake.       IN  CAA

;; ANSWER SECTION:
fakedomain.fake.    3600    IN  CAA 1 issuewilddddddddddddddddddddd "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddkkkkdddddddddddddddddddddddddddaaaa\000"

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1) (UDP)
;; WHEN: Tue Aug 13 16:09:18 CEST 2024
;; MSG SIZE  rcvd: 372

Looking at the wireshark captured data:

Domain Name System (response)
    Transaction ID: 0xbdfd
    Flags: 0x8500 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
    Answers
        fakedomain.fake: type CAA, class IN
            Name: fakedomain.fake
            Type: CAA (257) (Certification Authority Restriction)
            Class: IN (0x0001)
            Time to live: 3600 (1 hour)
            Data length: 288
            CAA Flags: 0x01
            Unknown tag [truncated]: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
                Tag length: 29
                Tag: issuewilddddddddddddddddddddd
                Value [truncated]: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    Additional records
    [Request In: 81883]
    [Time: 0.000344364 seconds]

In the Wireshark output, we have Tag length: 29. Where is it coming from? Is it normal? because if I do the same with Bind9, I get serverfail as the response.

Expected behaviour

I guess either it should not let me enter this value in the zone file or returning servfail in response

Actual behaviour

sends the wrong data to the client

Other information

That's all. Thanks for helping and the great software

[Habbie]

Tag length: 29

Your invalid tag is 285 chars. 285-255 is 30, which is close to 29. That's my suspicion :)