BIND crashes while resolving DNAME with deny-answer-aliases
Reported by Tony Finch to wpk and security-officer: named.conf:
options {
recursion yes;
deny-answer-aliases {
"cam.ac.uk";
} except-from {
"cam.ac.uk";
};
};
dig @localhost 130.232.128.in-addr.arpa dname
results in INSIST failure:
05-Jul-2018 17:17:43.684 name.c:2150: REQUIRE(suffixlabels > 0) failed, back trace
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6279801 in __GI_abort () at abort.c:79
#2 0x00005555555ae9e7 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at ./main.c:250
#3 0x000055555578fa1a in isc_assertion_failed (file=file@entry=0x555555808500 "name.c", line=line@entry=2150,
type=type@entry=isc_assertiontype_require, cond=cond@entry=0x555555808718 "suffixlabels > 0") at assertions.c:51
#4 0x00005555556715ea in dns_name_split (name=0x7fffe8051aa0, suffixlabels=0, prefix=<optimized out>, suffix=<optimized out>) at name.c:2150
#5 0x000055555559ee1a in is_answertarget_allowed (fctx=fctx@entry=0x7fffe8051790, qname=qname@entry=0x7fffe8051aa0, rname=0x7fffef8867e0,
rdataset=0x7fffef8895c0, chainingp=chainingp@entry=0x0) at resolver.c:6637
#6 0x000055555559f7d4 in rctx_answer_match (rctx=0x7ffff2d0d470) at resolver.c:8173
#7 rctx_answer_positive (rctx=rctx@entry=0x7ffff2d0d470) at resolver.c:7927
#8 0x00005555556ea738 in rctx_answer (rctx=0x7ffff2d0d470) at resolver.c:7811
#9 resquery_response (task=<optimized out>, event=<optimized out>) at resolver.c:7342
#10 0x00005555557b2cb1 in dispatch (manager=0x7ffff7f73010) at task.c:1139
#11 run (uap=0x7ffff7f73010) at task.c:1311
#12 0x00007ffff69f26db in start_thread (arg=0x7ffff2d0e700) at pthread_create.c:463
#13 0x00007ffff635a88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95