Hi, I'm testing: $ sudo nsd-control status version: 4.0.1 verbosity: 2 I found a loop problem with this record: * IN CNAME none ("none" means no matching record in zone and therefore match * again) Queries that use "* CNAME" will result in a loop. The response will use TCP and will be limited to 65k bytes $ dig @127.0.0.1 sdfgsfg.test.com ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 sdfgsfg.test.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30440 ;; flags: qr aa tc rd; QUERY: 1, ANSWER: 4678, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;sdfgsfg.test.com. IN A ;; ANSWER SECTION: sdfgsfg.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. . . . none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. none.test.com. 6400 IN CNAME none.test.com. ;; Query time: 85 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 19 08:36:52 2013 ;; MSG SIZE rcvd: 65531 -------------------------------------------- A more likely example of this problem is below * IN CNAME google.com (ending dot is missing) ;; QUESTION SECTION: ;sdfgsf.test.com. IN A ;; ANSWER SECTION: sdfgsf.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. google.com.test.com. 6400 IN CNAME google.com.test.com. Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20131119/a19d6094/attachment.htm>
Quoting Chris LaVallee <clavallee at edgecast.com>:> I found a loop problem with this record: > * IN CNAME none > ("none" means no matching record in zone and therefore match * again)Are you saying that the "none" literal has special treatment as a reserved word? I've never run into that. Do you have an RFC reference for this? My google-fu is failing. Thanks, Devin
Interesting? The combination of wildcards and cnames with a nonexistent canonical name in a single record is not a good idea in general. If these records can be found in the wild, on an NSD-only server pool, this can lead to denial of service attacks against resolvers. There is some clarifications of wildcards in the DNS that deals with CNAME. That can be found in RFC 4592. I?ve quickly glanced over it, and it seems that the behaviour is consistent with that RFC. (I might be wrong though). Roy On 19 Nov 2013, at 14:14, Chris LaVallee <clavallee at edgecast.com> wrote:> Hi, > > I'm testing: > > $ sudo nsd-control status > version: 4.0.1 > verbosity: 2 > > I found a loop problem with this record: > * IN CNAME none > ("none" means no matching record in zone and therefore match * again) > > Queries that use "* CNAME" will result in a loop. The response will use TCP and will be limited to 65k bytes > > $ dig @127.0.0.1 sdfgsfg.test.com > > ;; Truncated, retrying in TCP mode. > > ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 sdfgsfg.test.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30440 > ;; flags: qr aa tc rd; QUERY: 1, ANSWER: 4678, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;sdfgsfg.test.com. IN A > > ;; ANSWER SECTION: > sdfgsfg.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > . > . > . > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > none.test.com. 6400 IN CNAME none.test.com. > > ;; Query time: 85 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Nov 19 08:36:52 2013 > ;; MSG SIZE rcvd: 65531 > > -------------------------------------------- > > A more likely example of this problem is below > * IN CNAME google.com (ending dot is missing) > > ;; QUESTION SECTION: > ;sdfgsf.test.com. IN A > > ;; ANSWER SECTION: > sdfgsf.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > google.com.test.com. 6400 IN CNAME google.com.test.com. > > > Chris > > > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > open.nlnetlabs.nl/mailman/listinfo/nsd-users-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20131119/b7f1f3b0/attachment.bin>