search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 909 forks source link

Unable to set records with underscores for types NS, MX, SRV #8393

Closed silverwind closed 5 years ago

silverwind commented 5 years ago

Short description

It's not possible to add/modify records containing underscores in their name when type is either NS,MX or SRV. Other types like CNAME do work as expected.

Environment

Steps to reproduce

  1. Add Record zone.com IN NS _name.zone.com. on API

Expected behaviour

Record to be accepted.

Actual behaviour

Error: RRset test.com. IN NS non-hostname content _name.test.com.

Other information

The validation added in https://github.com/PowerDNS/pdns/commit/32cd4eb113ea3c832bf717c2e3f895655af158cd does hostname validation differently for those three affected types. It should be updated to use the same validation that CNAME uses.

Habbie commented 5 years ago

We do hostname validation differently for those types because those types point to hostnames. CNAME is not required to point to a hostname.

Can you explain to us what the usecase is for delegating to a nameserver with an underscore in the name? We'd love to understand!

silverwind commented 5 years ago

It's just something I came across while testing, no real use case.

To my understanding, both CNAME and NS technically contain a DNS name in their content (not sure if the difference between a name and a hostname matters is in this regard), so I was thinking they should be validated exactly the same.

Habbie commented 5 years ago

CNAMEs can be used to map any kind of name from one place to another. This does not have to be about hostnames. However, a name server is always a host, hence NS is required to point to a hostname.

We understand that this may feel like an arbitrary restriction in the API, and we'd be open to widening it -if- somebody has a good reason. This ticket does not appear to contain such a reason, so I'm closing this.

silverwind commented 5 years ago

a name server is always a host

RFC 1035 actually says the content of NS is a <domain-name>, not a hostname: 

3.3.11. NS RDATA format
...
NSDNAME         A <domain-name> which specifies a host which should be
                authoritative for the specified class and domain.

just like it does for CNAME:

3.3.1. CNAME RDATA format
...
CNAME           A <domain-name> which specifies the canonical or primary
                name for the owner.  The owner name is an alias.

Maybe that was revised in a later RFC, not sure.

Habbie commented 5 years ago

Note carefully which types mention a host and which don't.

oddlama commented 4 years ago

I just wanted to note that I have a use-case for this. I am using PowerDNS as an authoritative DNS server for dns-01 challenges. So I have a zone called _acme-challenge.example.com. and I use certbot-dns-rfc2136 to automatically add the required records to the _acme-challenge zone.

Habbie commented 4 years ago

@oddlama are you actually running into this problem? From your description, I would not expect you to.

Habbie commented 4 years ago

(also please note that you are commenting on a closed ticket, where replies may go unnoticed. It would be best if you could join us on IRC for a bit, details are at https://www.powerdns.com/opensource.html )