Under Logstash 5.6.5, reverse lookups will fail when the case of the in-addr.arpa zone name is in anything other than lower case. This was not reproducible under Win2k16 or Bind 9.9.4 (default CentOS 7), but was reproducible under a custom bind 9.10.6 installation that has since changed behaviour to preserve case sensitivity.
A zone configured like this would pass:
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.IN-ADDR.ARPA";
allow-update { none; };
};
But the slightest difference in case in the zone name would case a failure:
zone "1.168.192.IN-addr.arpa" IN {
type master;
file "1.168.192.IN-ADDR.ARPA";
allow-update { none; };
};
Under Logstash 5.6.5, reverse lookups will fail when the case of the
in-addr.arpazone name is in anything other than lower case. This was not reproducible under Win2k16 or Bind 9.9.4 (default CentOS 7), but was reproducible under a custom bind 9.10.6 installation that has since changed behaviour to preserve case sensitivity.A zone configured like this would pass:
But the slightest difference in case in the zone name would case a failure:
Some extra debugging reveals this error:
Which (as best as I could tell) traces back to Ruby's Resolv::DNS.getaddresses failing to be case insensitive as it should be , according to RFC 4343.
OK now the good news - The bug tested fixed as of Logstash 6.0.0! So, problem solved!!