case sensitive DDNS updates cause unneccessary zone notifications and IXFRs
Summary
If a dynamic DNS update is sent for a domain name that is currently kept in DNS in lower case but the dynamic DNS update uses upper case then all records of the affected RRSet get deleted and re-added even if the dynamic DNS update actually does not change anything.
This causes zone notifications to be sent and IXFRs to be requested by the secondary DNS servers for the affected zone.
BIND version used
BIND 9.14.5 (Stable Release) <id:c2c2b6d>
running on Linux x86_64 3.10.0-514.16.1.el7.x86_64 #1 SMP Thu Apr 13 08:36:06 CEST 2017
built by make with './configure' '--prefix=/opt/named/current' '--sbindir=/opt/named/current/bin' '--sysconfdir=/opt/named/current/conf' '--enable-fixed-rrset' '--enable-largefile' '--with-tuning=large' '--with-libjson' '--enable-dnstap' '--enable-dnsrps-dl' '--enable-dnsrps' '--with-libidn2=no' '--with-lmdb=no' '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=./configure'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with libjson-c version: 0.11
linked to libjson-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /opt/named/current/conf/named.conf
rndc configuration: /opt/named/current/conf/rndc.conf
DNSSEC root key: /opt/named/current/conf/bind.keys
nsupdate session key: /opt/named/current/var/run/named/session.key
named PID file: /opt/named/current/var/run/named/named.pid
named lock file: /opt/named/current/var/run/named/named.lock
Steps to reproduce
- at the starting point _ldap._tcp.training01.com. has two SRV RRs (all in lower case)
[root@dnsdhcp01 conf]$ dig AXFR training01.com | grep SOA
training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 18 21600 3600 604800 86400
training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 18 21600 3600 604800 86400
[root@dnsdhcp01 conf]$ dig AXFR training01.com | grep SRV
_ldap._tcp.training01.com. 600 IN SRV 0 0 389 windc01.training01.com.
_ldap._tcp.training01.com. 600 IN SRV 0 0 389 windc02.training01.com.
[root@dnsdhcp01 conf]$
- client "adds" an already existing RR in the RRSet but happens to use upper case for the zone name TRAINING01.COM. of the domain name _ldap._tcp.training01.com., in this case reproduced using nsupdate
[root@dnsdhcp01 conf]$ nsupdate
> update add _ldap._tcp.TRAINING01.COM. 600 IN SRV 0 0 389 windc02.training01.com.
> send
> quit
[root@dnsdhcp01 conf]$
- named triggers that the complete RRSet gets deleted and re-added using the case specified in the dynamic update
[root@dnsdhcp01 conf]$ journalprint db.training01.com.jnl
del training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 18 21600 3600 604800 86400
del _ldap._tcp.training01.com. 600 IN SRV 0 0 389 windc01.training01.com.
del _ldap._tcp.training01.com. 600 IN SRV 0 0 389 windc02.training01.com.
add training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 19 21600 3600 604800 86400
add _ldap._tcp.TRAINING01.COM. 600 IN SRV 0 0 389 windc01.training01.com.
add _ldap._tcp.TRAINING01.COM. 600 IN SRV 0 0 389 windc02.training01.com.
[root@dnsdhcp01 conf]$
- as a result serial is increased / zone is updated accordingly, i.e. notifications are sent and secondaries will request IXFRs
[root@dnsdhcp01 conf]$ dig AXFR training01.com | grep SOA
training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 19 21600 3600 604800 86400
training01.com. 86400 IN SOA dnsdhcp01.training01.com. root.training01.com. 19 21600 3600 604800 86400
[root@dnsdhcp01 conf]$ dig AXFR training01.com | grep SRV
_ldap._tcp.TRAINING01.COM. 600 IN SRV 0 0 389 windc01.training01.com.
_ldap._tcp.TRAINING01.COM. 600 IN SRV 0 0 389 windc02.training01.com.
[root@dnsdhcp01 conf]$
What is the current bug behavior?
domain names in dynamic update are compared to already existing RRs case sensitive
What is the expected correct behavior?
domain names in dynamic update are compared to already existing RRs case INsensitive
if the exact same record already exists (case-insensitive) there should be no change to the zone
if someone wants to use DDNS update to change the case of a domain name or a domain name label he/she should remove the RRSet first and then re-add with the desired case - this can go into a single (atomic) dynamic DNS update
Note: tried no-case-compress { any; }; but made no difference (unfortunate, but expected)
Relevant configuration files
have a master zone and set allow-update to any for testing the dynamic DNS updates
Relevant logs and/or screenshots
n/a
Possible fixes
n/a