nsupdate fails on check-names while using comma in non-interactive mode (#2063) · Issues · ISC Open Source Projects / BIND

nsupdate fails on check-names while using comma in non-interactive mode

Summary

I tried to add an entry for the domain , (FQDN used in this issue: ,.example.com) to my DNS server. For configuring domains I use Ansible which builds a file compatible to nsupdate and calls nsupdate respectively. However nsupdate fails and manual testing showed that the file was built correctly, however not accepted by nsupdate in non-interactive mode.

BIND version used

BIND 9.16.5-Debian (Stable Release) <id:c00b458>
running on Linux x86_64 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-9.16.5=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

This is an example configuration change in place of what I was to apply:

zone example.com.
ttl 86400
update delete ,.example.com. 0 IN A
update add ,.example.com. 86400 IN A 0.0.0.0
send

On a server running BIND enabled with dynamic updates and local-host mode support enabled for the zone example.com, store the configuration from above in a file and call nsupdate -l [file] or < [file] nsupdate -l.

What is the current bug behavior?

nsupdate called with the file like exampled above fails with following error:

check-names failed: bad owner ',.example.com'
syntax error

What is the expected correct behavior?

Change the A record for ,.example.com to 0.0.0.0.

Relevant configuration files

Seems to be an issue of nsupdate and not BIND, so configuration files should not matter.

### Summary

I tried to add an entry for the domain `,` (FQDN used in this issue: `,.example.com`) to my DNS server. For configuring domains I use Ansible which builds a file compatible to nsupdate and calls nsupdate respectively. However nsupdate fails and manual testing showed that the file was built correctly, however not accepted by nsupdate in non-interactive mode.

### BIND version used

```
BIND 9.16.5-Debian (Stable Release) <id:c00b458>
running on Linux x86_64 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-9.16.5=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP
```

### Steps to reproduce

This is an example configuration change in place of what I was to apply:
```
zone example.com.
ttl 86400
update delete ,.example.com. 0 IN A
update add ,.example.com. 86400 IN A 0.0.0.0
send
```

On a server running BIND enabled with dynamic updates and local-host mode support enabled for the zone `example.com`, store the configuration from above in a file and call `nsupdate -l [file]` or `< [file] nsupdate -l`.

### What is the current *bug* behavior?

nsupdate called with the file like exampled above fails with following error:
```
check-names failed: bad owner ',.example.com'
syntax error
```

### What is the expected *correct* behavior?

Change the `A` record for `,.example.com` to `0.0.0.0`.

### Relevant configuration files

Seems to be an issue of nsupdate and not BIND, so configuration files should not matter.

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.