Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 615
    • Issues 615
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 109
    • Merge requests 109
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #3003

Greedy regular expression causes intermittent "nsupdate" system test failures

One of the checks in the nsupdate system test prepares an nsupdate script by processing a response to a DNSKEY query. Specifically, it attempts to change the TTL of the DNSKEY RRset (from 10 to 600). However, a greedy regular expression involved in that process may cause DNSKEY RDATA to be mangled instead of the TTL:

https://gitlab.isc.org/isc-private/bind9/-/jobs/2088895

05-Nov-2021 11:50:17.573 received client packet from 10.53.0.3#60245
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  38838
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
;; ZONE SECTION:
;dnskey.test.			IN	SOA

;; UPDATE SECTION:
;dnskey.test.		600	IN	DNSKEY	256 3 5 (
;						AwEAAdS72SeIDeDR/y7ZxEToyLSQ
;						Q/rm7f3dQBo/GK8RjRZTjTxMchRW
;						itmi/kCJxSOW0rFV/ueWJTwcJbSq
;						upYYo1bgNUGNmLDoYfPEDIsClZrK
;						jaLjlSWb2v7nYGVuMpLGJX5D2NCm
;						QJz5uOQR+b7r/8uSW1eQzodpsLTm
;						XQCnuKvj
;						) ; ZSK; alg = RSASHA1 ; key id = 40375
;dnskey.test.		10	IN	DNSKEY	257 3 5 (
;						AwEAAa600INEzZ8hHtv3d2j5grzq
;						7gAvaWk2TxHTuFhRUuIVJxUNTpTa
;						vHvSbZglx/AXSGIIgfXDKd0VVXTa
;						sW0eewfCpjNol5Cgfnb+VlO5kmjW
;						6nr1UnLgd+H/sRdG1Ip8amR+D0Xi
;						pYmXnOFuO2VvFRBizPlWCFu1sQFr
;						sCRYXhB/
;						) ; KSK; alg = RSASHA1 ; key id = 19267

Note that the second DNSKEY RR still has a TTL of 10 seconds and contains the string 600 in its RDATA. Looking at the contents of ns3/dnskey.test.db confirms that the relevant RDATA originally contained a string matching the regular expression 10.IN, breaking the replacement:

$TTL 10
dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
dnskey.test. IN NS dnskey.test.
dnskey.test. IN A 10.53.0.3
; This is a key-signing key, keyid 18947, for dnskey.test.
; Created: 20211105114907 (Fri Nov  5 11:49:07 2021)
; Publish: 20211105114907 (Fri Nov  5 11:49:07 2021)
; Activate: 20211105114907 (Fri Nov  5 11:49:07 2021)
dnskey.test. IN DNSKEY 257 3 5 AwEAAa100INEzZ8hHtv3d2j5grzq7gAvaWk2TxHTuFhRUuIVJxUNTpTa vHvSbZglx/AXSGIIgfXDKd0VVXTasW0eewfCpjNol5Cgfnb+VlO5kmjW 6nr1UnLgd+H/sRdG1Ip8amR+D0XipYmXnOFuO2VvFRBizPlWCFu1sQFr sCRYXhB/

This cannot end well:

05-Nov-2021 11:50:17.573 dns_dnssec_findzonekeys2: error reading Kdnskey.test.+005+19267.private: file not found
Edited Nov 05, 2021 by Michał Kępień
Assignee
Assign to
Time tracking