Skip to content

W or w characters in domain names are altered to "\000"

Summary

We recently upgraded our bind9 from 1:9.16.16-2+ubuntu18.04.1+isc+1 to 1:9.16.17-1+ubuntu21.04.1+isc+1 and start experiencing some wildcard names not being resolved. The resolver will return servfail. After some troubleshooting we found that:

Under certain conditions (reproducible), the name in answer will not match the name in question. Found this issue reproducible with following conditions:

  1. Character "W" in name in question.
  2. Name in the query matches a wildcard record in zone.

Then in the answer, letter "W" (or should be "w") will be replaced with "/000".

BIND version used

BIND 9.16.17-Ubuntu (Stable Release) <id:fe79347>
running on Linux x86_64 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-yfFgL0/bind9-9.16.17=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1  11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1  11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.0
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
    named configuration:  /etc/bind/named.conf
    rndc configuration:   /etc/bind/rndc.conf
    DNSSEC root key:      /etc/bind/bind.keys
    nsupdate session key: //run/named/session.key
    named PID file:       //run/named/named.pid
    named lock file:      //run/named/named.lock
    geoip-directory:      /usr/share/GeoIP

Steps to reproduce

Start a container:

docker run --rm -it ubuntu:bionic

Then in the container, run:

# install packages
apt-get update &&
apt-get -y install software-properties-common &&
add-apt-repository -y ppa:isc/bind &&
apt-get update &&
apt-get install -y bind9=1:9.16.17-1+ubuntu18.04.1+isc+1 dnsutils

# populate zone data
cat <<EOT > /tmp/test.local.zone
test.local. 1 SOA ns1.test.local. admin.test.local. 1 1 1 1 1
test.local. 1 NS ns1.test.local.
ns1.test.local. 1 A 127.0.0.1
UVW.test.local. 1 A 127.0.0.1
*.sub.test.local. 1 A 127.0.0.1
EOT

# set named configuration
cat <<EOT > /etc/bind/named.conf
options { recursion no; };
zone "test.local" IN { type master; file "/tmp/test.local.zone"; };
EOT

named  # start named process

Run below dig command in the same container and check the answer:

dig @127.0.0.1 +noall +answer -t A ABC.sub.test.local. # this will succeed
dig @127.0.0.1 +noall +answer -t A UVW.sub.test.local. # "W" in answer will be altered to "/000"
dig @127.0.0.1 +noall +answer -t A UVW.test.local.     # this will succeed despite the "W"

What is the current bug behavior?

/# dig @127.0.0.1 +noall +answer -t A ABC.sub.test.local.
abc.sub.test.local.     1       IN      A       127.0.0.1
/# dig @127.0.0.1 +noall +answer -t A UVW.sub.test.local.
uv\000.sub.test.local.  1       IN      A       127.0.0.1  <- "W" was altered
/# dig @127.0.0.1 +noall +answer -t A UVW.test.local.
UVW.test.local.         1       IN      A       127.0.0.1

What is the expected correct behavior?

/# dig @127.0.0.1 +noall +answer -t A UVW.sub.test.local.
uvw.sub.test.local.  1       IN      A       127.0.0.1

Relevant configuration files

Configurations used to reproduce the issue:

named.conf

options { recursion no; };
zone "test.local" IN { type master; file "/tmp/test.local.zone"; };

test.local.zone

test.local. 1 SOA ns1.test.local. admin.test.local. 1 1 1 1 1
test.local. 1 NS ns1.test.local.
ns1.test.local. 1 A 127.0.0.1
UVW.test.local. 1 A 127.0.0.1
*.sub.test.local. 1 A 127.0.0.1

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information