nsd users - Oct 2015 - NSD answer apparently depends on case-pattern of question

Hi.

  Zonemaster is giving me the following error message:

When asked for SOA records on "wWw.NO8.be" and "wwW.nO8.BE",
nameserver ns1.no8.be/2001:770:13f::35:1 returns different answers.

  I believe that this is the only one (of three) authorities for
  no8.be which is running NSD.  I also believe that the answer should
  depend only on zone data, and not be "modulated" by differences
  between equivalent presentations of the question.
  
  I suspect a bug in NSD's code for building the answer.  Perhaps it's
  a known one already?

  The following script may help to visualize the behaviour.

-- snip --
#!/bin/sh

qnames="NO8.be nO8.BE wWw.NO8.be wwW.nO8.BE"
servers=`dig +norec +short @ns1.no8.be no8.be ns`

for name in $qnames
do
    for auth in $servers
    do
	dig +norec @$auth $name soa
    done
done
-- snip --

  Best regards,
  Niall O'Reilly

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Niall,

On 08/10/15 17:00, Niall O'Reilly wrote:
> Hi.
> 
> Zonemaster is giving me the following error message:
> 
> When asked for SOA records on "wWw.NO8.be" and
"wwW.nO8.BE",
> nameserver ns1.no8.be/2001:770:13f::35:1 returns different
> answers.
But there is no difference between these answers.  Zonemaster must be
wrong?  DNS is case insensitive, so these answers are identical.

NSD compresses the domain names in the answer towards the mangled
upper and lowercase of your question, which you then see repeated in
the answers.  This makes the packet smaller.

The zone data is in lowercase, because NSD lowercases all its zone
data (whether primary or secondary zones).  In case you were wondering
about the case of the zone data.

I have to echo the query section with its mangled upper and lowercase
because of 0x20 hacks that people are using to get extra entropy in
DNS messages.

Best regards, Wouter

> 
> I believe that this is the only one (of three) authorities for 
> no8.be which is running NSD.  I also believe that the answer
> should depend only on zone data, and not be "modulated" by
> differences between equivalent presentations of the question.
> 
> I suspect a bug in NSD's code for building the answer.  Perhaps
> it's a known one already?
> 
> The following script may help to visualize the behaviour.
> 
> -- snip -- #!/bin/sh
> 
> qnames="NO8.be nO8.BE wWw.NO8.be wwW.nO8.BE" servers=`dig +norec
> +short @ns1.no8.be no8.be ns`
> 
> for name in $qnames do for auth in $servers do dig +norec @$auth
> $name soa done done -- snip --
> 
> Best regards, Niall O'Reilly
> 
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWF2wcAAoJEJ9vHC1+BF+NgiIP/jxj+NXYiFca4cic35oJDGvV
nKy7JuM82dnblrezfgvyo8HMMSUjleHTVZfk2dAUVRxvaiLjizE8e3NbUhoXvFJF
Z/dGghGeWygxGRUxGa8kaiWWhVYtD1lDCg7qDnxREX2+O/AWcerWH1uajwoCR5hE
4P8ao8Cjwns9q84NiwkMac0AQPegKJC9qAduLpVYxpmIO535UUNgFYQ+1S4IdoIi
QRqDb8icpdtfPpjMxoK+kUsSqrQxyb8Mw9hbDvtM9etcQiwi2yyXAfr9VGFzNtko
LW7xqWX53qDGN4kJCRnEVLPBuAyeYbAfT7QuoNsfvNkEUzsx09isJgE76I6qHfBS
vs4f2+kfpKNPHPuCObhTe6CUoJ4jIyraxR0f+LGW5MUJXKcVMB5Fi1WOKeIclPGZ
0s+EbDuW6kmiiWLj/E7lf2/u8E8MmCEV//ob09yA+Yt6oB59fKlANdyimnsl+ayd
ahpZ0j2TK7jkZnTbyzCrZp3A+TE9oN94oRT7EP6Zl3FdLJbOJO+Xo3me/GHZ4gUP
/IMQ1Drk94zk2tLdqP/57ZbmmTJ88tLcSzIr49jqAmdt2sIn63K7S5YI0g2P4a4h
ovFuepRvP0ZFRx0f62w3wTumWO/XEPEIHj7zSMmSo6EcWNEG9uDkqhARqCqwKaU0
8tYP/H9FRveX+iy6qVVd
=sSA7
-----END PGP SIGNATURE-----

On 08 Oct 2015, at 17:00 , Niall O'Reilly <Niall.oReilly at ucd.ie>
wrote:
>  Hi.
> 
>  Zonemaster is giving me the following error message:
> 
> When asked for SOA records on "wWw.NO8.be" and
"wwW.nO8.BE", nameserver ns1.no8.be/2001:770:13f::35:1 returns
different answers.
> 
>  I believe that this is the only one (of three) authorities for
>  no8.be which is running NSD.  I also believe that the answer should
>  depend only on zone data, and not be "modulated" by differences
>  between equivalent presentations of the question.
> 
>  I suspect a bug in NSD's code for building the answer.  Perhaps
it's
>  a known one already?
It?s not a bug, it?s a feature :)

btw. I thought this was taken care of in Zonemaster already:
https://github.com/dotse/zonemaster/issues/372

/P