[nsd-users] nsd-zonec SIGSEGV when record is longer than 255 characters

Dmitry Kohmanyuk dk at hostmaster.ua
Mon Aug 27 19:13:00 UTC 2012


On Aug 27, 2012, at 7:23 PM, Miek Gieben <miek at miek.nl> wrote:

> [ Quoting <pk at denic.de> in "Re: [nsd-users] nsd-zonec SIGSEGV w..." ]
>> On Mon, Aug 27, 2012 at 05:41:26PM +0200, Yuri Schaeffer wrote:
>> 
>>> I agree. A fix has been applied to the NSD_3_2 branch in r3639. Zonec
>>> simply continues with the first 255 characters.
>> 
>> apologies for _not_ testing, but hwat is the final outcome supposed to be?
>> Accept the zone with shortened TXT RR or refuse to compile due to
> 
> What about the RRSIG (if there is one)?

I think the only proper approach is to refuse to load such zone - truncating the record,
thus essentially corrupting zone data is not a good thing to do (even without DNSSEC - as this would break validation.)

there are legitimate uses for large TXT records - for example, DKIM signature records (they contain public keys…)

dropping "too large" record and proceeding to compile rest of zone feels like good compromise but it is actually not
as this would break NSEC (NSEC3) data (with bitmapped list of RR types).  

>> properly reported parse error?
> 
> erroring out is probably best -- although NSD is garbage in - garbage out.
> (which is a good policy most of the time)

...but long TXT records are not garbage...
so refusing the zone - or just allowing any size of TXT data - is safe behaviour.



More information about the nsd-users mailing list