[nsd-users] * CNAME loop

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Nov 21 14:03:45 UTC 2013 

Hi,

This behavior seems to have been introduced in 3.2.11, when fixing:

- Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't
  add the wildcard domain NSEC into the answer section. Instead,
  put the wildcard expanded NSEC into the answer section and keep the
  wildcard domain NSEC in the authority section.

The fix to that was to differentiate between a domain and a wildcard
expanded domain. As a side effect, all those CNAME records below with
the expanded wildcard domain as owner are different according to NSD.

There is a better fix for this in the repository, which handles both
scenarios well, so expect it in upcoming releases of NSD3 and NSD4. The
response to the query below is now like:

$ dig @127.0.0.1 sdfgsfg.test.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 sdfgsfg.test.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30440
;; flags: qr aa tc rd; QUERY: 1, ANSWER: 4678, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;sdfgsfg.test.com.        IN    A

;; ANSWER SECTION:
sdfgsfg.test.com.    6400    IN    CNAME    none.test.com.
none.test.com.        6400    IN    CNAME    none.test.com.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 21 15:02:14 2013
;; MSG SIZE  rcvd: 76


Best regards,
  Matthijs



On 11/19/2013 08:43 PM, Roy Arends wrote:
> Interesting…
> 
> The combination of wildcards and cnames with a nonexistent canonical name in a single record is not a good idea in general. If these records can be found in the wild, on an NSD-only server pool, this can lead to denial of service attacks against resolvers.
> 
> There is some clarifications of wildcards in the DNS that deals with CNAME. That can be found in RFC 4592. I’ve quickly glanced over it, and it seems that the behaviour is consistent with that RFC. (I might be wrong though).
> 
> Roy
> 
> 
> On 19 Nov 2013, at 14:14, Chris LaVallee <clavallee at edgecast.com> wrote:
> 
>> Hi,
>>
>> I'm testing:
>>
>> $ sudo nsd-control status
>> version: 4.0.1
>> verbosity: 2
>>
>> I found a loop problem with this record:
>> *         IN  CNAME   none
>> ("none" means no matching record in zone and therefore match * again)
>>
>> Queries that use "* CNAME" will result in a loop. The response will use TCP and will be limited to 65k bytes
>>
>> $ dig @127.0.0.1 sdfgsfg.test.com
>>
>> ;; Truncated, retrying in TCP mode.
>>
>> ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 sdfgsfg.test.com
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30440
>> ;; flags: qr aa tc rd; QUERY: 1, ANSWER: 4678, AUTHORITY: 0, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;sdfgsfg.test.com.        IN    A
>>
>> ;; ANSWER SECTION:
>> sdfgsfg.test.com.    6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> .
>> .
>> .
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>> none.test.com.        6400    IN    CNAME    none.test.com.
>>
>> ;; Query time: 85 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Tue Nov 19 08:36:52 2013
>> ;; MSG SIZE  rcvd: 65531
>>
>> --------------------------------------------
>>
>> A more likely example of this problem is below 
>> *         IN  CNAME  www.google.com    (ending dot is missing)
>>
>> ;; QUESTION SECTION:
>> ;sdfgsf.test.com.               IN      A
>>
>> ;; ANSWER SECTION:
>> sdfgsf.test.com.        6400    IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>> www.google.com.test.com. 6400   IN      CNAME   www.google.com.test.com.
>>
>>
>> Chris
>>
>>
>>
>> _______________________________________________
>> nsd-users mailing list
>> nsd-users at NLnetLabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>

More information about the nsd-users mailing list