Bug 1234 - shortening DNAME loop produces duplicate DNAME records in ANSWER section
shortening DNAME loop produces duplicate DNAME records in ANSWER section
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.5.10
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-10 12:56 CET by Petr Špaček
Modified: 2017-03-10 14:13 CET (History)
2 users (show)

See Also:


Attachments
test demonstrating the issue in step 221102 (23.68 KB, application/octet-stream)
2017-03-10 12:56 CET, Petr Špaček
Details
pcap from the test demonstrating the problem, see packet #131 (13.01 KB, application/octet-stream)
2017-03-10 13:01 CET, Petr Špaček
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Špaček 2017-03-10 12:56:30 CET
Created attachment 379 [details]
test demonstrating the issue in step 221102

Version: unbound-1.5.10-1.fc25.x86_64

Hello,

an attempt to test cases described in table listed in
https://tools.ietf.org/html/rfc6672#section-2.2
produced interesting result.

Let's test this case:
    QNAME            owner  DNAME   target         result
    ---------------- -------------- -------------- -----------------
    shortloop.x.x.   x.             .              shortloop.x.

The two authoritative servers in test reply with:
SECTION QUESTION
shortloop.x.x. IN CNAME
SECTION ANSWER
x. DNAME .
shortloop.x.x. IN CNAME shortloop.x.
shortloop.x. IN CNAME shortloop.

... and ...

SECTION QUESTION
shortloop. IN TXT
SECTION ANSWER
shortloop. IN TXT "shortloop end"


Interestingly, the Unbound replies with:
SECTION QUESTION
shortloop.x.x. IN TXT
SECTION ANSWER
x. 3600 IN DNAME .
shortloop.x.x. 3600 IN CNAME shortloop.x.
x. 3600 IN DNAME .
shortloop.x. 3600 IN CNAME shortloop.
shortloop. 3600 IN TXT "shortloop end"

Please note the duplicated DNAME in the Answer section.

This can be reproduced using attached test, see step 221102 CHECK_ANSWER.
Comment 1 Petr Špaček 2017-03-10 13:01:17 CET
Created attachment 380 [details]
pcap from the test demonstrating the problem, see packet #131
Comment 2 Wouter Wijngaards 2017-03-10 14:06:11 CET
Hi Petr,

Fixed the problem, thank you for the report.  And the detailed test case!

Best regards, Wouter

And by the way, this is the diff I needed to do to make the rpl work on unbound (1.6.2).  Just to note the small divergence in our test-scripts.

--- /home/wouter/iter_dname_insec.rpl	2017-03-10 13:30:52.155657591 +0100
+++ testdata/iter_dname_insec.rpl	2017-03-10 13:46:48.329821586 +0100
@@ -353,12 +353,14 @@
 
 STEP 220202 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode answer
+MATCH all
 REPLY QR RD RA DO
 SECTION QUESTION
 example.com. IN NS
 SECTION ANSWER
 example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com.        0       IN      A       168.192.2.2
 ENTRY_END
 
 ; line no. 2 QTYPE == DNAME
@@ -371,7 +373,7 @@
 
 STEP 220204 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
 REPLY QR RD RA DO
 SECTION QUESTION
 example.com. IN DNAME
@@ -393,7 +395,8 @@
 
 STEP 220302 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 a.example.com. IN A
 SECTION ANSWER
@@ -415,7 +418,8 @@
 
 STEP 220402 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 a.b.example.com. IN A
 SECTION ANSWER
@@ -517,7 +521,8 @@
 
 STEP 220702 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 a.x.example.com. IN A
 SECTION ANSWER
@@ -600,7 +605,8 @@
 
 STEP 220802 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 a2.example.com. IN A
 SECTION ANSWER
@@ -683,7 +689,8 @@
 ; CNAME chains should be followed and CNAME loops signalled as an error
 STEP 220902 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 REPLY SERVFAIL
 SECTION QUESTION
 cyc.example.com. IN A
@@ -768,8 +775,8 @@
 ; CNAME chains should be followed and CNAME loops signalled as an error
 STEP 221002 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
-REPLY SERVFAIL
+MATCH all
+REPLY QR RD RA DO SERVFAIL
 SECTION QUESTION
 cyc2.example.com. IN A
 ENTRY_END
@@ -845,12 +852,14 @@
 
 STEP 221102 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 shortloop.x.x.	IN TXT
 SECTION ANSWER
 x.		IN DNAME	.
 shortloop.x.x.	IN CNAME	shortloop.x.
+;;x.		IN DNAME	.
 shortloop.x.	IN CNAME	shortloop.
 shortloop.	IN TXT		"shortloop end"
 ENTRY_END
@@ -871,7 +880,8 @@
 
 STEP 221202 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 shortloop.x.	IN TXT
 SECTION ANSWER
@@ -984,7 +994,8 @@
 ; query returning maximal permissible length - should work
 STEP 229002 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH rcode question answer
+MATCH all
+REPLY QR RD RA DO
 SECTION QUESTION
 x.long.	IN A
 SECTION ANSWER
@@ -1006,7 +1017,7 @@
 ;
 ; STEP 229004 CHECK_ANSWER
 ; ENTRY_BEGIN
-; MATCH rcode question answer
+; MATCH all
 ; REPLY QR YXDOMAIN
 ; SECTION QUESTION
 ; x.long.	IN A
@@ -1026,7 +1037,7 @@
 ; 
 ; STEP 229007 CHECK_ANSWER
 ; ENTRY_BEGIN
-; MATCH rcode question answer
+; MATCH all
 ; REPLY QR YXDOMAIN
 ; SECTION QUESTION
 ; x.long.	IN A
Comment 3 Petr Špaček 2017-03-10 14:13:25 CET
That's what I call swift fix! :-)

Speaking of the test, it was intentionally ignoring additional section to allow the test to work on Knot Resolver and Unbound at the same time.

Right now I'm working on improving Deckard project and tests distributed with it (see https://gitlab.labs.nic.cz/knot/deckard) so it works on multiple resolvers at the same time.

The intention is to make sure that at least the new tests are not depending on implementation quirks in particular resolver but simulate and test general behavior. Hopefully it will help us all in the future.

Have a nice day!