Skip to content
GitLab

Greedy regular expression causes intermittent "nsupdate" system test failures

One of the checks in the nsupdate system test prepares an nsupdate script by processing a response to a DNSKEY query. Specifically, it attempts to change the TTL of the DNSKEY RRset (from 10 to 600). However, a greedy regular expression involved in that process may cause DNSKEY RDATA to be mangled instead of the TTL:

https://gitlab.isc.org/isc-private/bind9/-/jobs/2088895

05-Nov-2021 11:50:17.573 received client packet from 10.53.0.3#60245
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  38838
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
;; ZONE SECTION:
;dnskey.test.			IN	SOA

;; UPDATE SECTION:
;dnskey.test.		600	IN	DNSKEY	256 3 5 (
;						AwEAAdS72SeIDeDR/y7ZxEToyLSQ
;						Q/rm7f3dQBo/GK8RjRZTjTxMchRW
;						itmi/kCJxSOW0rFV/ueWJTwcJbSq
;						upYYo1bgNUGNmLDoYfPEDIsClZrK
;						jaLjlSWb2v7nYGVuMpLGJX5D2NCm
;						QJz5uOQR+b7r/8uSW1eQzodpsLTm
;						XQCnuKvj
;						) ; ZSK; alg = RSASHA1 ; key id = 40375
;dnskey.test.		10	IN	DNSKEY	257 3 5 (
;						AwEAAa600INEzZ8hHtv3d2j5grzq
;						7gAvaWk2TxHTuFhRUuIVJxUNTpTa
;						vHvSbZglx/AXSGIIgfXDKd0VVXTa
;						sW0eewfCpjNol5Cgfnb+VlO5kmjW
;						6nr1UnLgd+H/sRdG1Ip8amR+D0Xi
;						pYmXnOFuO2VvFRBizPlWCFu1sQFr
;						sCRYXhB/
;						) ; KSK; alg = RSASHA1 ; key id = 19267

Note that the second DNSKEY RR still has a TTL of 10 seconds and contains the string 600 in its RDATA. Looking at the contents of ns3/dnskey.test.db confirms that the relevant RDATA originally contained a string matching the regular expression 10.IN, breaking the replacement:

$TTL 10
dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
dnskey.test. IN NS dnskey.test.
dnskey.test. IN A 10.53.0.3
; This is a key-signing key, keyid 18947, for dnskey.test.
; Created: 20211105114907 (Fri Nov  5 11:49:07 2021)
; Publish: 20211105114907 (Fri Nov  5 11:49:07 2021)
; Activate: 20211105114907 (Fri Nov  5 11:49:07 2021)
dnskey.test. IN DNSKEY 257 3 5 AwEAAa100INEzZ8hHtv3d2j5grzq7gAvaWk2TxHTuFhRUuIVJxUNTpTa vHvSbZglx/AXSGIIgfXDKd0VVXTasW0eewfCpjNol5Cgfnb+VlO5kmjW 6nr1UnLgd+H/sRdG1Ip8amR+D0XipYmXnOFuO2VvFRBizPlWCFu1sQFr sCRYXhB/

This cannot end well:

05-Nov-2021 11:50:17.573 dns_dnssec_findzonekeys2: error reading Kdnskey.test.+005+19267.private: file not found
Edited by Michał Kępień