Giters

NLnetLabs / nsd

The NLnet Labs Name Server Daemon (NSD) is an authoritative, RFC compliant DNS nameserver.

Home Page:https://nlnetlabs.nl/nsd

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

'*' in Rdata causes the return code to be NOERROR instead of NX

SivaKesava1 opened this issue · comments

commented

Hi again,

Short description

When the target of a CNAME that belongs to the same zone does not exist, it is returned with the NXDOMAIN return code. NSD handles this very well except when there is a * label in the Rdata. It returns with NOERROR, whereas Bind, Knot, and PowerDNS return with NXDOMAIN (Sorry for nitpicking a minor corner case).

Steps to reproduce

Consider the following sample zone file:
campus.edu. 500 SOA ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300
campus.edu. 500 NS ns1.outside.edu.
foo.campus.edu. 500 CNAME www.*.campus.edu.

For the query <foo.campus.edu., A> the answer from the NSD server is:

          "rcode NOERROR",
          "flags QR AA",
          ";QUESTION",
          "foo.campus.edu. IN A",
          ";ANSWER",
          "foo.campus.edu. 500 IN CNAME www.*.campus.edu.",
          ";AUTHORITY",
          ";ADDITIONAL"

Expected/Actual behavior

The answer section would be the same for the above query, but the RCODE should be NXDOMAIN.

Thank you for your quick replies.

commented

Fixed it. It has to do with the internal data structure for storing domains in the memory of NSD, there a domain struct is created for the right hand of the CNAME, and it is set to be non-existing. The is_existing was not checked for the wildcard expansion, and this is fixed by the commit. So this fix is only for CNAMEs to a wildcard right hand, where that wildcard right hand does not exist in the zone. Thanks for the report!