From jelte at isc.org Sun Sep 6 12:17:09 2009 From: jelte at isc.org (Jelte Jansen) Date: Sun, 06 Sep 2009 14:17:09 +0200 Subject: [ldns-users] trailing garbage in wire parser Message-ID: <4AA3A845.30207@isc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, robert edmonds brought to my attention something that might or might not be a problem in ldns; the wire parser does not error if there is trailing garbage after a dns packet. One could very well say that that is not supposed to happen and an error should be raised. Here's a small patch that does that. Although even if included, there is one more choice to be made; should the packet be freed and NULL returned, or should the packet be kept in case the one asking for the parsing still wants to have it? (depends on whether callers check for *pkt == NULL or return value == LDNS_STATUS_OK to decide whether or not the pkt should be free'd later, i think both ways are used by developers) It now does the latter, but freeing it is probably more consistent, if an error is returned. Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqjqEUACgkQ4nZCKsdOncV84gCgju4+UjiRAwRLZ/R3oOZz97jm amQAn0u2lY4jFzo52iqkP7rQV3+7ov5q =8zK+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: ldns_trailing_garbage.patch Type: text/x-diff Size: 496 bytes Desc: not available URL: From bert.hubert at netherlabs.nl Sun Sep 6 14:02:48 2009 From: bert.hubert at netherlabs.nl (bert hubert) Date: Sun, 6 Sep 2009 16:02:48 +0200 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <4AA3A845.30207@isc.org> References: <4AA3A845.30207@isc.org> Message-ID: <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> On Sun, Sep 6, 2009 at 2:17 PM, Jelte Jansen wrote: > robert edmonds brought to my attention something that might or might not be a > problem in ldns; the wire parser does not error if there is trailing garbage > after a dns packet. One could very well say that that is not supposed to happen > and an error should be raised. Hi Jelte! I have to get used to your (new?) email address! Ok, on trailing garbage, this is rife on the internet. PowerDNS used to error out on it, but it was not doable. So now we ignore it, and life is good. What is right for ldns depends on your goals, but if you want to make ldns suitable as a base to build 'real life' solutions on, you almost have no choice beyond ignoring trailing garbage on otherwise valid packets. Bert From edmonds at debian.org Sun Sep 6 18:12:02 2009 From: edmonds at debian.org (Robert Edmonds) Date: Sun, 6 Sep 2009 14:12:02 -0400 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> Message-ID: <20090906181202.GA24223@mycre.ws> Jelte Jansen wrote: > robert edmonds brought to my attention something that might or might not be a > problem in ldns; the wire parser does not error if there is trailing garbage > after a dns packet. One could very well say that that is not supposed to happen > and an error should be raised. > > Here's a small patch that does that. Although even if included, there is one > more choice to be made; should the packet be freed and NULL returned, or should > the packet be kept in case the one asking for the parsing still wants to have > it? (depends on whether callers check for *pkt == NULL or return value == > LDNS_STATUS_OK to decide whether or not the pkt should be free'd later, i think > both ways are used by developers) It now does the latter, but freeing it is > probably more consistent, if an error is returned. the documentation for ldns_wire2pkt() unfortunately doesn't make it explicit if *pkt is always allocated, or only on LDNS_STATUS_OK. bert hubert wrote: > Ok, on trailing garbage, this is rife on the internet. PowerDNS used > to error out on it, but it was not doable. really? do you have any current numbers? i've only been able to find a few packets with trailing garbage, but maybe my sample is biased. -- Robert Edmonds edmonds at debian.org From edmonds at debian.org Sun Sep 6 18:31:55 2009 From: edmonds at debian.org (Robert Edmonds) Date: Sun, 6 Sep 2009 14:31:55 -0400 Subject: [ldns-users] ldns_wire2dname() doesn't reject some invalid pointers Message-ID: <20090906183155.GA24456@mycre.ws> RFC 1035 section 4.1.4 says this about message compression: "In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurance of the same name." note that the pointer must point backwards in the packet (a prior occurrence) and must point to a name. here's a DNS message that ldns 1.6 parses successfully: ca8884000001000000010000047864636a03636f6d00001c0001c01c0006000102000e10002c000a686f73746d61737465720a6e616d65736572766572000000000f0000708000001c2000093a8000003a80 the owner name of the first RR in the authority section starts with a pointer *forward* one octet in the packet to the first octet of the type field, which happens to be zero. and the type field of an RR isn't a name, so a compression pointer can't point to it. -- Robert Edmonds edmonds at debian.org From bert.hubert at netherlabs.nl Sun Sep 6 19:09:04 2009 From: bert.hubert at netherlabs.nl (bert hubert) Date: Sun, 6 Sep 2009 21:09:04 +0200 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <20090906181202.GA24223@mycre.ws> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> <20090906181202.GA24223@mycre.ws> Message-ID: <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> On Sun, Sep 6, 2009 at 8:12 PM, Robert Edmonds wrote: > bert hubert wrote: >> Ok, on trailing garbage, this is rife on the internet. PowerDNS used >> to error out on it, but it was not doable. > > really? ?do you have any current numbers? ?i've only been able to find a > few packets with trailing garbage, but maybe my sample is biased. I've mostly seen this on the resolver side, where you talk to the unwashed masses of soho routers/modems.. But it was frequent enough to cause helpdesk calls and spam the log. So it is a no-go for 'real life use'. Bert From edmonds at debian.org Sun Sep 6 19:23:02 2009 From: edmonds at debian.org (Robert Edmonds) Date: Sun, 6 Sep 2009 15:23:02 -0400 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> <20090906181202.GA24223@mycre.ws> <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> Message-ID: <20090906192302.GA26313@mycre.ws> bert hubert wrote: > I've mostly seen this on the resolver side, where you talk to the > unwashed masses of soho routers/modems.. ah, ok, i'm mostly looking at rd=0 packets between recursive and authoritative nameservers. (why the !#$% can't the soho boxes just propagate the DNS servers they learn from IPCP/DHCP to their NAT'd clients instead of proxying the request...) -- Robert Edmonds edmonds at debian.org From paul at xelerance.com Sun Sep 6 20:18:45 2009 From: paul at xelerance.com (Paul Wouters) Date: Sun, 6 Sep 2009 16:18:45 -0400 (EDT) Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <20090906192302.GA26313@mycre.ws> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> <20090906181202.GA24223@mycre.ws> <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> <20090906192302.GA26313@mycre.ws> Message-ID: On Sun, 6 Sep 2009, Robert Edmonds wrote: > ah, ok, i'm mostly looking at rd=0 packets between recursive and > authoritative nameservers. (why the !#$% can't the soho boxes just > propagate the DNS servers they learn from IPCP/DHCP to their NAT'd > clients instead of proxying the request...) Because your clients need DHCP which gives them a DNS server entry before there is a possible uplink with your soho router, so the ISP's nameservers are not known yet. Paul From wouter at NLnetLabs.nl Mon Sep 7 07:21:19 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 07 Sep 2009 09:21:19 +0200 Subject: [ldns-users] ldns_wire2dname() doesn't reject some invalid pointers In-Reply-To: <20090906183155.GA24456@mycre.ws> References: <20090906183155.GA24456@mycre.ws> Message-ID: <4AA4B46F.1080804@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert, Accept lenient, send strictly. Hence the acceptance of forward pointers for compression. ldns does check for loops, if that is what you're worried about. Best regards, Wouter On 09/06/2009 08:31 PM, Robert Edmonds wrote: > RFC 1035 section 4.1.4 says this about message compression: > > "In this scheme, an entire domain name or a list of labels at the > end of a domain name is replaced with a pointer to a prior occurance > of the same name." > > note that the pointer must point backwards in the packet (a prior > occurrence) and must point to a name. > > here's a DNS message that ldns 1.6 parses successfully: > > ca8884000001000000010000047864636a03636f6d00001c0001c01c0006000102000e10002c000a686f73746d61737465720a6e616d65736572766572000000000f0000708000001c2000093a8000003a80 > > the owner name of the first RR in the authority section starts with a > pointer *forward* one octet in the packet to the first octet of the type > field, which happens to be zero. and the type field of an RR isn't a > name, so a compression pointer can't point to it. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqktG8ACgkQkDLqNwOhpPioQwCgjHxFe0o5iu4tOx1ecDGmlM8+ 3VMAn1xYQG0lUFyg8ZV5TpxgPfhAh8+Z =91LY -----END PGP SIGNATURE----- From wouter at NLnetLabs.nl Mon Sep 7 07:25:05 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Mon, 07 Sep 2009 09:25:05 +0200 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> Message-ID: <4AA4B551.3010704@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jelte, Bert, On 09/06/2009 04:02 PM, bert hubert wrote: > On Sun, Sep 6, 2009 at 2:17 PM, Jelte Jansen wrote: >> robert edmonds brought to my attention something that might or might not be a >> problem in ldns; the wire parser does not error if there is trailing garbage >> after a dns packet. One could very well say that that is not supposed to happen >> and an error should be raised. > > Hi Jelte! I have to get used to your (new?) email address! > > Ok, on trailing garbage, this is rife on the internet. PowerDNS used > to error out on it, but it was not doable. +1 > So now we ignore it, and life is good. > > What is right for ldns depends on your goals, but if you want to make > ldns suitable as a base to build 'real life' solutions on, you almost > have no choice beyond ignoring trailing garbage on otherwise valid > packets. So, accept leniently, send strictly. Also for trailing garbage. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqktVEACgkQkDLqNwOhpPjYBACaA1JIS0MNBZwGYaxYBx/eWJrf KUEAoIqa2w5fCZVksmBYVN6U5vqN/+Yg =pG5Z -----END PGP SIGNATURE----- From jelte at isc.org Mon Sep 7 08:06:12 2009 From: jelte at isc.org (Jelte Jansen) Date: Mon, 07 Sep 2009 10:06:12 +0200 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> <20090906181202.GA24223@mycre.ws> <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> Message-ID: <4AA4BEF4.4040702@isc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bert hubert wrote: > On Sun, Sep 6, 2009 at 8:12 PM, Robert Edmonds wrote: >> bert hubert wrote: >>> Ok, on trailing garbage, this is rife on the internet. PowerDNS used >>> to error out on it, but it was not doable. >> really? do you have any current numbers? i've only been able to find a >> few packets with trailing garbage, but maybe my sample is biased. > > I've mostly seen this on the resolver side, where you talk to the > unwashed masses of soho routers/modems.. > > But it was frequent enough to cause helpdesk calls and spam the log. > > So it is a no-go for 'real life use'. > right. Scratch my patch :) yet another place i wish we had added and options flag to the api (PARSE_STRICT would be nice here). Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqkvvEACgkQ4nZCKsdOncVkUQCfbtLgKA/E/2FCb1i9e/1Ac9Co 3CEAoLOTSv2+hWIB/J6VdtLcRmo6GzdT =Zqvu -----END PGP SIGNATURE----- From miek at miek.nl Mon Sep 7 09:12:32 2009 From: miek at miek.nl (Miek Gieben) Date: Mon, 7 Sep 2009 11:12:32 +0200 Subject: [ldns-users] trailing garbage in wire parser In-Reply-To: <4AA4BEF4.4040702@isc.org> References: <4AA3A845.30207@isc.org> <3efd34cc0909060702o48bf47cau6b51ed5f44f9a32f@mail.gmail.com> <20090906181202.GA24223@mycre.ws> <3efd34cc0909061209w6f3222fdu526174c7ff5e46db@mail.gmail.com> <4AA4BEF4.4040702@isc.org> Message-ID: <20090907091232.GA15271@miek.nl> [ Quoting Jelte Jansen in "Re: [ldns-users] trailing garbage i"... ] > > So it is a no-go for 'real life use'. > > right. Scratch my patch :) > > yet another place i wish we had added and options flag to the api (PARSE_STRICT > would be nice here). something for 2.0 ? gtrz Miek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From Joao at c-l-i.net Mon Sep 14 10:11:28 2009 From: Joao at c-l-i.net (Joao Damas) Date: Mon, 14 Sep 2009 12:11:28 +0200 Subject: [ldns-users] ldns_wire2dname() doesn't reject some invalid pointers In-Reply-To: <4AA4B46F.1080804@nlnetlabs.nl> References: <20090906183155.GA24456@mycre.ws> <4AA4B46F.1080804@nlnetlabs.nl> Message-ID: <4BF8EB27-AD0E-44F4-B4C5-8CBFC9194D00@c-l-i.net> On 7 Sep 2009, at 09:21, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Robert, > > Accept lenient, send strictly. Hence the acceptance of forward > pointers for compression. > > ldns does check for loops, if that is what you're worried about. > it does by keeping track of how many pointers it has dereferenced and stopping if it reaches some arbitrary number. Now, if only "prior occurences" (as per rfc1035) are accepted, loops would not be possible, right? (prior meaning target < current, excluding =) Joao From wouter at NLnetLabs.nl Tue Sep 15 12:33:37 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 15 Sep 2009 14:33:37 +0200 Subject: [ldns-users] ldns_wire2dname() doesn't reject some invalid pointers In-Reply-To: <4BF8EB27-AD0E-44F4-B4C5-8CBFC9194D00@c-l-i.net> References: <20090906183155.GA24456@mycre.ws> <4AA4B46F.1080804@nlnetlabs.nl> <4BF8EB27-AD0E-44F4-B4C5-8CBFC9194D00@c-l-i.net> Message-ID: <4AAF89A1.5020501@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Joao, On 09/14/2009 12:11 PM, Joao Damas wrote: >> Accept lenient, send strictly. Hence the acceptance of forward >> pointers for compression. >> >> ldns does check for loops, if that is what you're worried about. >> > > it does by keeping track of how many pointers it has dereferenced and > stopping if it reaches some arbitrary number. > Now, if only "prior occurences" (as per rfc1035) are accepted, loops > would not be possible, right? (prior meaning target < current, excluding =) Yes. But you would not be accepting leniently. Although the word 'prior' seems to be used in the RFC, accepting a somewhat differently encoded compression with forward pointers is important for good operations, I think. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqviaAACgkQkDLqNwOhpPhWjwCdF7uq1z+nZy8Mw5plP8YbPVij Iy8AnAh257LhLqH2YUhNdYzpLOj1aLCj =vyBF -----END PGP SIGNATURE----- From johan.moreels at alcatel-lucent.be Tue Sep 29 13:16:21 2009 From: johan.moreels at alcatel-lucent.be (Johan Moreels) Date: Tue, 29 Sep 2009 15:16:21 +0200 Subject: [ldns-users] EDNS0 Message-ID: <6E8F06D7-5E89-4C68-99AF-C4CAD63BF5B1@alcatel-lucent.be> Hi, I tried to use your library in order to update DNS using update leases. How can I add the lease time to the DNS query? Johan Moreels _____________________________ Johan Moreels Senior Research Engineer tel: (+32) 3 240 4210 gsm: (+32) 477 500088 e-mail: johan.moreels at alcatel-lucent.be Alcatel-Lucent Bell N.V. Bell Labs Copernicuslaan 50 2018 Antwerpen Belgium Fortis 220-0002334-42 VAT BE 0404 621 642 Register of Legal Entities Antwerp This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited without the prior consent of its author. -------------- next part -------------- An HTML attachment was scrubbed... URL: