Skip to content

GitLab

BIND
BIND
Closed
Opened by Felix Stupp@Zocker1999NET

nsupdate fails on check-names while using comma in non-interactive mode

Summary

I tried to add an entry for the domain , (FQDN used in this issue: ,.example.com) to my DNS server. For configuring domains I use Ansible which builds a file compatible to nsupdate and calls nsupdate respectively. However nsupdate fails and manual testing showed that the file was built correctly, however not accepted by nsupdate in non-interactive mode.

BIND version used

BIND 9.16.5-Debian (Stable Release) <id:c00b458>
running on Linux x86_64 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-9.16.5=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

This is an example configuration change in place of what I was to apply:

zone example.com.
ttl 86400
update delete ,.example.com. 0 IN A
update add ,.example.com. 86400 IN A 0.0.0.0
send

On a server running BIND enabled with dynamic updates and local-host mode support enabled for the zone example.com, store the configuration from above in a file and call nsupdate -l [file] or < [file] nsupdate -l.

What is the current bug behavior?

nsupdate called with the file like exampled above fails with following error:

check-names failed: bad owner ',.example.com'
syntax error

What is the expected correct behavior?

Change the A record for ,.example.com to 0.0.0.0.

Relevant configuration files

Seems to be an issue of nsupdate and not BIND, so configuration files should not matter.