nsd users - Jul 2011 - nsd segfaults when serving a TXT record with two strings

This zone file, which seems legal (two strings in one TXT record, see
RFC 1035, section 3.3.14 which says "one or more"):

TXT     "Name of Facility or similar" "City, Country"

crashes nsd when queried with QTYPE=TXT or ANY:

[1309792314] nsd[21571]: warning: server 21573 died unexpectedly with status 11,
restarting

nsd 3.2.8 on Debian 6.0.1 "squeeze"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 07/04/2011 05:15 PM, Stephane Bortzmeyer wrote:
> TXT     "Name of Facility or similar" "City, Country"
> 
That is extremely worrying, but it does not happen for me.

$ dig @::1 -p 10053 example.nl TXT +norec
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25205
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.nl.			IN	TXT
;; ANSWER SECTION:
example.nl.		3600	IN	TXT	"Name of Facility or similar" "City,
Country"

Here is the zonefile I used:

@	10200	IN	SOA	open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2011070101
28800 7200 604800 3600
@	TXT     "Name of Facility or similar" "City, Country"

Can you make clean; make (if you compiled it yourself?).

Can you gdb the server (-d prevents it from forking away from the
terminal) and give a 'bt' stack backtrace?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOEdsuAAoJEJ9vHC1+BF+N5YMP/RWgOOvyXd1wv8xp4Z4Erye6
rY5EN5vYf4gouK4aJANDq+uJwn3qHm+rK2CH8NHrwnw6VhhlLA63d3vjW//SVDRy
a93D9DxN+8d5yrpVJrenP2ZPOjtpWBWikC547g+wec5i04++ZNwiztqZyANVn7B1
v2iL84s/tNVC6Ef/vP+sCKJ5u9J9Bb4438uclUJKPEk6K8h2dIYIxLUwD1Tp37Gm
unxXjy1fNpn+LNxUX+ibk8HnIo/Z/Looc15dA2XAl3fjHSJKNe+b//pblF1K40N4
jldYAbAm8ColVBX4/kwgKYchIBZEhi209zBPUnFvun3ovch7pu95850UtSzlzALz
mLjH2rqKfHs99Bo/B5WvOl9Yojxc/IDcej9zcMmHQw6oJP853Wkpt1+UvXPaNoz8
5upp1RwbG5QaaY7dyeL07RhpXJ+mkgqSgEitlf2aabJ2jMgzekUJw1Il6J6QXZG9
7Z3KViA5unE2giHwvukiM+rbMYKhaB9qZKdAEqbeNt92M8LCZuQBYJHyedP3rNxl
lv3zL0G3yJcFotxtoGrsh7xSO1h4p6Pja6/9H14tTCcBooRn/umlnvGN/zsW2q7s
b5ezISf/Mpg+l+db93cIP5cRWj3NyJxO7ZhjxtOsiFHMJptW2fH9RYsMoP01cb4Y
LoVvWitHHxG44fZbLLV2
=TfJr
-----END PGP SIGNATURE-----

On 04/07/2011 17:15, Stephane Bortzmeyer wrote:
> This zone file, which seems legal (two strings in one TXT record, see
> RFC 1035, section 3.3.14 which says "one or more"):
> 
> TXT     "Name of Facility or similar" "City, Country"
> 
> crashes nsd when queried with QTYPE=TXT or ANY:
> 
> [1309792314] nsd[21571]: warning: server 21573 died unexpectedly with
status 11, restarting
> 
> nsd 3.2.8 on Debian 6.0.1 "squeeze"
I have different behaviour, which also looks wrong. NSD 3.2.8 running on
OSX 10.6.8, returns just the first string, but not the second, ie. if I
have:

TXT	"string 1" "string 2"

then querying NSD for TXT or ANY only returns "string 1".

Anand

On Mon, Jul 04, 2011 at 05:15:12PM +0200,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 15 lines which said:
> crashes nsd when queried with QTYPE=TXT or ANY:
And the trace seems to be:

Program received signal SIGSEGV, Segmentation fault.
0x0805c7e5 in query_get_dname_offset (query=0x9176c90, domain=0x9174bb4)
    at query.h:143
143             return query->compressed_dname_offsets[domain->number];
(gdb) where
#0  0x0805c7e5 in query_get_dname_offset (query=0x9176c90, domain=0x9174bb4)
    at query.h:143
#1  0x0805c8d0 in encode_dname (q=0x9176c90, domain=0x9174bb4) at packet.c:21
#2  0x0805ca46 in packet_encode_rr (q=0x9176c90, owner=0x91708dc, rr=0x9174b54)
    at packet.c:76
#3  0x0805cc09 in packet_encode_rrset (query=0x9176c90, owner=0x91708dc, 
    rrset=0x9174b44, section=1) at packet.c:126
#4  0x0804a299 in encode_answer (q=0x9176c90, answer=0xbfbe71fc) at answer.c:76
#5  0x0805ffbe in answer_query (nsd=0x807f3e0, q=0x9176c90) at query.c:1204
#6  0x080605a6 in query_process (q=0x9176c90, nsd=0x807f3e0) at query.c:1353
#7  0x0806645a in server_process_query (nsd=0x807f3e0, query=0x9176c90)
    at server.c:1211
#8  0x08066ab5 in handle_udp (netio=0x9175c88, handler=0x9175d10, 
    event_types=NETIO_EVENT_READ) at server.c:1408
#9  0x08058806 in netio_dispatch (netio=0x9175c88, timeout=0x0, sigmask=0x0)
    at netio.c:258
#10 0x08066875 in server_child (nsd=0x807f3e0) at server.c:1343
#11 0x08064506 in restart_child_servers (nsd=0x807f3e0, region=0x9170530, 
    netio=0x9174c80, xfrd_sock_p=0xbfc055c8) at server.c:292
#12 0x08064e9a in server_start_children (nsd=0x807f3e0, region=0x9170530, 
    netio=0x9174c80, xfrd_sock_p=0xbfc055c8) at server.c:567
#13 0x08065caa in server_main (nsd=0x807f3e0) at server.c:977
#14 0x0805ad33 in main (argc=0, argv=0xbfc05924) at nsd.c:1063

(gdb) print domain->number
$4 = 1852383333

On Mon, Jul 04, 2011 at 05:15:12PM +0200,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 15 lines which said:
> This zone file, which seems legal (two strings in one TXT record, see
> RFC 1035, section 3.3.14 which says "one or more"):
> 
> TXT     "Name of Facility or similar" "City, Country"
> 
> crashes nsd when queried with QTYPE=TXT or ANY:
OK, problem solved. This happened when running a recent version of the
nsd daemon with a database compiled by an old version of
zonec. Nothing in the database tells the daemon that the format is
different. TXT records are stored in an unexpected way => crash.

So, always check you use the right zonec. Its path seems hardcoded in
nsdc so setting PATH does not help.

[Analysis and solution by Wouter Wijngaards.]