search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 908 forks source link

auth, rec: no YXDOMAIN in overly long DNAME CNAME synthesis #9740

Open Habbie opened 3 years ago

Habbie commented 3 years ago

Short description

https://tools.ietf.org/html/rfc6672#section-2.2 says:

   The domain name can get too long during substitution.  For example,
   suppose the target name of the DNAME RR is 250 octets in length
   (multiple labels), if an incoming QNAME that has a first label over 5
   octets in length, the result would be a name over 255 octets.  If
   this occurs, the server returns an RCODE of YXDOMAIN [RFC2136].  The
   DNAME record and its signature (if the zone is signed) are included
   in the answer as proof for the YXDOMAIN (value 6) RCODE.

The recursor has two code comments mentioning we don't do this; the auth has no such comments but also lacks the relevant code:

Nov 16 16:56:36 Exception building answer packet for 1234567890.www.d.example.com/A (name too long) sending out servfail

Environment

Steps to reproduce

  1. Create record d.example.com 3005 IN DNAME 1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.nl
  2. Ask for 1234567890.www.d.example.com/

Expected behaviour

YXDOMAIN+DNAME+RRSIG

Actual behaviour

Auth: log message plus servfail. Rec: I did not check.

Habbie commented 3 years ago

As #10231 exists and is almost ready, I removed the auth milestone from this so it can get a rec milestone.