0x20-encoded queries are sometimes answered in random capitalization
Summary
0x20-encoded queries are sometimes answered in random capitalization, when queries a resolver with BIND-9.18.15.
BIND version used
# named -V
BIND 9.18.15 (Extended Support Version) <id:f53a076>
running on Linux x86_64 4.18.0-425.19.2.el8_7.x86_64 #1 SMP Tue Apr 4 22:38:11 UTC 2023
built by make with '--prefix=/usr/local/bind-9.18.15' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' '--enable-dnstap' '--with-libxml2' '--enable-singletrace' 'PKG_CONFIG_PATH=/usr/local/fstrm/lib/pkgconfig/:/usr/local/h2o/lib64/pkgconfig'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-16)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.41.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /opt/chroot/bind/etc/named/named.conf
rndc configuration: /opt/chroot/bind/etc/named/rndc.conf
DNSSEC root key: /opt/chroot/bind/etc/named/bind.keys
nsupdate session key: /opt/chroot/bind/var/run/named/session.key
named PID file: /opt/chroot/bind/var/run/named/named.pid
named lock file: /opt/chroot/bind/var/run/named/named.lockSteps to reproduce
Regarding the 0x20-encoding behavior, I'm not sure, if the following is expected behavior or a bug:
Querying a BIND-9.18.15 resolver with a clean cache and with a lowercase/uppercase domain-query:
$ for ((i=1; i<999; i++)); do echo -e "[+] Run $i"; dig @test www.ARCADE.ch +noall +question +answer; echo -e "\n" ; sleep .5; done
[+] Run 1
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 2
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90
[+] Run 3
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90
[+] Run 4
;www.ARCADE.ch. IN A
www.arcade.ch. 598 IN A 46.22.20.90
[+] Run 5
;www.ARCADE.ch. IN A
www.arcade.ch. 598 IN A 46.22.20.90
[+] Run 6
;www.ARCADE.ch. IN A
www.arcade.ch. 597 IN A 46.22.20.90
[+] Run 7
;www.ARCADE.ch. IN A
www.arcade.ch. 597 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 8
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 9
;www.ARCADE.ch. IN A
www.ARCADE.ch. 600 IN A 46.22.20.90
[+] Run 10
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 11
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 12
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
[+] Run 13
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
[+] Run 14
;www.ARCADE.ch. IN A
www.ARCADE.ch. 597 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 15
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 16
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90
[+] Run 17
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90
[+] Run 18
;www.ARCADE.ch. IN A
www.arcade.ch. 598 IN A 46.22.20.90
[+] Run 19
;www.ARCADE.ch. IN A
www.arcade.ch. 598 IN A 46.22.20.90
[+] Run 20
;www.ARCADE.ch. IN A
www.arcade.ch. 597 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 21
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 22
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 23
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 24
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
[+] Run 25
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
[+] Run 26
;www.ARCADE.ch. IN A
www.ARCADE.ch. 597 IN A 46.22.20.90
[+] Run 27
;www.ARCADE.ch. IN A
www.ARCADE.ch. 597 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 28
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 29
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 30
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 31
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
[+] Run 32
;www.ARCADE.ch. IN A
www.ARCADE.ch. 598 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 33
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 34
;www.ARCADE.ch. IN A
www.ARCADE.ch. 600 IN A 46.22.20.90
[+] Run 35
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
[+] Run 36
;www.ARCADE.ch. IN A
www.ARCADE.ch. 599 IN A 46.22.20.90
<-------------------------- "rndc flush"
[+] Run 37
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 38
;www.ARCADE.ch. IN A
www.arcade.ch. 600 IN A 46.22.20.90
[+] Run 39
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90
[+] Run 40
;www.ARCADE.ch. IN A
www.arcade.ch. 599 IN A 46.22.20.90As you can see in Run 1 and Run 2, the freshly fetched record is returned with "www.arcade.ch." in the answer section (lower case) with the initial TTL of 600s.
Between Run 7 und Run 8, I flushed the resolver cache with rndc flush. The answer in Run 8 is "www.arcade.ch." (lowercase) with a TTL of 600s. In the same second, Run 9 returns the answer with "www.ARCADE.ch.", also with the TTL of 600 (ARCADE is uppercase) like the query. This continues until Run 14, where I again flushed the cache with rndc flush.
On Run 15, the freshly fetched record is returned with the answer "www.arcade.ch." (lowercase). This continues until Run 20. Between Run 20 and Run 21, I flushed the cache again.
The newly fetched record is answered with "www.arcade.ch." (lowercase), but the following queries until Run 27 are answered with "www.ARCADE.ch." (ARCADE in uppercase).
Between Run 27 and Run 28, I flushed the cache again. The response of the newly fetched record is answered with "www.arcade.ch." (lowercase), where the following answers are in uppercase (www.ARCADE.ch.). This continues until Run 32.
Between Run 32 and Run 33, I flushed the cache. The response of the newly fetched record is answered with "www.arcade.ch." (lowercase), where the following answers are in uppercase (www.ARCADE.ch.). This continues until Run 36.
Between Run 36 and Run 37, I flushed the cache. The response of the newly fetched record is answered with "www.arcade.ch." (lowercase), where the following answers are also in lowercase (www.arcade.ch.). This continues a while.
So my question are:
- Why is the answer of the first fetched record (with the initial TTL) always in lowercase, but the following answers could be equal the query or could be complete in lowercase?
- Why does flushing the cache could change the response-behavior regarding the "ANSWER"-section?
And why is the answer in the following 2nd query "www.arcade.cH." (capital H) and the third "w" is lowercase (not equal the query)?
$ dig @test wwW.arcade.cH +noall +question +answer
;wwW.arcade.cH. IN A
www.arcade.ch. 600 IN A 46.22.20.90
$ dig @test wwW.arcade.cH +noall +question +answer
;wwW.arcade.cH. IN A
www.arcade.cH. 600 IN A 46.22.20.90
$ dig @test wwW.arcade.cH +noall +question +answer
;wwW.arcade.cH. IN A
www.arcade.cH. 599 IN A 46.22.20.90What is the current bug behavior?
See above.
What is the expected correct behavior?
I'm not sure, if all this is expected or a bug.