search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.84k stars 400 forks source link

Synthesizing from wildcard DNAMEs over using DNAME power #791

Closed SivaKesava1 closed 4 months ago

SivaKesava1 commented 7 months ago

Hi @ShreyasZare,

Thanks for promptly fixing all the issues I filed earlier. The following is not typically allowed as per RFC 6672, but consider it as Technitium seems to have difference when compared to others.

Consider the following zone file.
test. 500 SOA ns1.outside.edu. root.test 3 604800 86400 2419200 604800
test. 500 NS ns1.outside.com.
*.test. 500 DNAME some.domain.

For the query, <a.*.test., DNAME> the response from Technitium is as follows:

          "rcode NOERROR",
          "flags QR AA RA",
          ";QUESTION",
          "*.a.*.test. IN DNAME",
          ";ANSWER",
          "a.*.test. 500 IN DNAME some.domain.",
          ";AUTHORITY",
          ";ADDITIONAL"

while the others like Bind, PowerDNS, Knot, NSD give:

           rcode NOERROR",
          "flags QR AA",
          ";QUESTION",
          "a.*.test. IN DNAME",
          ";ANSWER",
          "*.test. 500 IN DNAME some.domain.",
          "a.*.test. 500 IN CNAME a.some.domain.",
          ";AUTHORITY",
          ";ADDITIONAL"

It looks like you are not considering the DNAME power of the record and considering it as any other wildcard record, whereas others seem to prioritize the DNAME power.

ShreyasZare commented 7 months ago

Hi @SivaKesava1. Thanks for these new reports. Will test them all soon and get it fixed in the next update.

ShreyasZare commented 5 months ago

Thanks again for the feedback. There are a couple of issues with this test which came up while testing it.

First issue is with * in the query section. As per my understanding of RFC 4592 section-2.3, the wildcard character appearing in question section does not carry any special meaning and no wildcard processing is done. Its thus matched literally with the record in zone.

Second issue is with wildcard DNAME. As per reading of RFC 6672 section-3.3 using wildcard with DNAME is discouraged since its interaction with both the features is non-deterministic.

With both these things in mind, I think the correct answer for the a.*.text IN DNAME request should be NXDOMAIN since there is no wildcard processing being done and that there is no subdomain name that exists.

Let me know what you think about this.

ShreyasZare commented 5 months ago

I did some analysis again and it looks like DNAME should be processed in this case. Will get the implementation updated.

SivaKesava1 commented 5 months ago

Hi @ShreyasZare,

You are correct about * being treated as a normal character when present in the query.

You are also correct about wildcard DNAMEs being discouraged, but there is no clear mention of what the behavior should be when it is present in the zone file. The easy way is to signal an error when a wildcard DNAME is created.

Other implementations consider both the DNAME power and wildcard power depending on the situation. Please check this discussion https://gitlab.nic.cz/knot/knot-dns/-/issues/905. It is a more complex case compared to the one I mentioned here.

ShreyasZare commented 4 months ago

Technitium DNS Server v12 is now available that fixes this issue. Do update and let me know your feedback.