Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid CAA RR served instead of rejected #14556

Open
2 tasks done
maroofi opened this issue Aug 13, 2024 · 1 comment
Open
2 tasks done

invalid CAA RR served instead of rejected #14556

maroofi opened this issue Aug 13, 2024 · 1 comment
Labels
auth defect
Milestone
auth-helpneeded

Comments

@maroofi
Copy link

maroofi commented Aug 13, 2024
edited
Loading

  • Program: Authoritative, Recursor, dnsdist
  • Issue type: Bug report

Short description

Hello,
When I add a long CAA RR to the zone file in pdns (longer than 255 characters for 'tag'), I see that it creates a wrong RR and serve it to the client.

Environment

  • Operating system: Ubuntu 24.04
  • Software version: PowerDNS Authoritative Server 4.8.3
  • Software source: Ubuntu repository

Steps to reproduce

Here is the content of the zone file when I run the command sudo -u pdns pdnsutil edit-zone fakedomain.fake

; Warning - every name in this file is ABSOLUTE!

$ORIGIN .

fakedomain.fake 3600    IN      SOA     ns1.fakedomain.fake hostmaster.fakedomain.fake 18 10800 3600 604800 3600

fakedomain.fake 3600    IN      A       4.5.6.7

fakedomain.fake 3600    IN      NS      ns1.fakedomain.fake

fakedomain.fake 3600    IN      CAA     1 issuewilddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddkkkkdddddddddddddddddddddddddddaaaa

ns1.fakedomain.fake     3600    IN      A       1.2.3.4

Now if I query with dig: dig @127.0.0.1 -p 5300 fakedomain.fake caa
Here is the output:

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @127.0.0.1 -p 5300 fakedomain.fake caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48637
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f7ab1e56dfdf551f0100000066bb690e20f1b09918f7c6e7 (good)
;; QUESTION SECTION:
;fakedomain.fake.		IN	CAA

;; ANSWER SECTION:
fakedomain.fake.	3600	IN	CAA	1 issuewilddddddddddddddddddddd "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddkkkkdddddddddddddddddddddddddddaaaa\000"

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1) (UDP)
;; WHEN: Tue Aug 13 16:09:18 CEST 2024
;; MSG SIZE  rcvd: 372

Looking at the wireshark captured data:

Domain Name System (response)
    Transaction ID: 0xbdfd
    Flags: 0x8500 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
    Answers
        fakedomain.fake: type CAA, class IN
            Name: fakedomain.fake
            Type: CAA (257) (Certification Authority Restriction)
            Class: IN (0x0001)
            Time to live: 3600 (1 hour)
            Data length: 288
            CAA Flags: 0x01
            Unknown tag [truncated]: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
                Tag length: 29
                Tag: issuewilddddddddddddddddddddd
                Value [truncated]: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    Additional records
    [Request In: 81883]
    [Time: 0.000344364 seconds]

In the Wireshark output, we have Tag length: 29. Where is it coming from? Is it normal? because if I do the same with Bind9, I get serverfail as the response.

Expected behaviour

I guess either it should not let me enter this value in the zone file or returning servfail in response

Actual behaviour

sends the wrong data to the client

Other information

That's all. Thanks for helping and the great software
@Habbie
Copy link
Member

Habbie commented Aug 19, 2024
edited
Loading

Tag length: 29

Your invalid tag is 285 chars. 285-255 is 30, which is close to 29. That's my suspicion :)

@Habbie Habbie added this to the auth-helpneeded milestone Aug 19, 2024
@Habbie Habbie changed the title CAA RR parsed incorrectly invalid CAA RR served instead of rejected Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth defect
Projects
None yet
Milestone
auth-helpneeded
Development

No branches or pull requests
2 participants
@Habbie @maroofi