-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-existent CNAME target in the same zone should be returned with NXDOMAIN instead of NOERROR #11
Comments
Hello, Thank you for reporting this issue. |
yadifa
added a commit
that referenced
this issue
Dec 3, 2020
…comment)) adds stack size fix for musl support (the default size is way too small) adds error reporting in socket_server_opensocket_init fixes CNAME recursion not returning the same answer as named in NXDOMAIN cases (reported by https://github.com/SivaKesava1, see #11) modified the keyroll key hash so output would group by flags then algorithm then tag adds a new yadifa module : zonesign zone (re-)signature tool that can replace dnssec-signzone designed to work through some limit cases (yakeyrolld) fixes an issue where a zone signature could incorrectly be detected as already ongoing fixes an issue that could occur parsing confguration files with optional content fixes CNAME answers not following the aliases chain (side effect of a previous fix, regression added) fixes a possible race-condition when initialising the keyroll context error codes added an internal tool to verify what decided a configuration value (default, command line, ...) added a NSEC3 record view so they can directly be signed added stdatomic.h for older compilers (CentOS 7) zdb_zone_write_text nolonger closes the output stream, the responsibility is left to the caller keyroll context destruction now releases all the memory (needed now that a keyroll can be fully restarted during a run)
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Dec 31, 2020
* YADIFA 2.4.1-public: - Fixes an issue in dnscore where a DNS TCP query would not return the real DNS error code. - Fixes an issue that could happen when a network model isn't supported. - Fixes the propagation of sendmmsg/recvmmsg function availability detection. - Fixes an issue where yadifad would issue a warning when a key with algorithm > 7 is used with an NSEC zone. - Fixes an issue that will occur on a chrooted environment where a managed-path would be used incorrectly. - Fixes CNAME answers not following the aliases chain. - Fixes CNAME recursion not returning the same answer as named in NXDOMAIN cases (reported by https://github.com/SivaKesava1, see yadifa/yadifa#11) - Adds patch for musl support - Adds stack size fix for musl support (the default size is way too small) - Now imports a custom version of stdatomic.h for systems where it is missing, located in dnscore/thirdpary/stdatomic.h. Made for CentOS 7 and any other release where that file is missing. The import is only active if strictly needed and will only be visible during the build. At the moment, it is not being installed with the other headers. * YAKEYROLLD 2.4.1: - Fixes the handling of incomplete TCP queries. - Fixes a possible race-condition when initialising the keyroll context error codes. - The keyroll now has another automatic recovery layer where it completely restarts the handling of a domain, generating a one-step update to put the zone in the expected state. Full changelog at https://github.com/yadifa/yadifa/blob/master/ChangeLog And while here, reformat Makefile according to portfmt and portclippy PR: 252107 Submitted by: Leo Vandewoestijne <freebsd@dns.company> (maintainer) Reviewed by: osa (mentor) Approved by: osa (mentor) Differential Revision: https://reviews.freebsd.org/D27808 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@559762 35697150-7ecd-e111-bb59-0022644237b5
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Dec 31, 2020
* YADIFA 2.4.1-public: - Fixes an issue in dnscore where a DNS TCP query would not return the real DNS error code. - Fixes an issue that could happen when a network model isn't supported. - Fixes the propagation of sendmmsg/recvmmsg function availability detection. - Fixes an issue where yadifad would issue a warning when a key with algorithm > 7 is used with an NSEC zone. - Fixes an issue that will occur on a chrooted environment where a managed-path would be used incorrectly. - Fixes CNAME answers not following the aliases chain. - Fixes CNAME recursion not returning the same answer as named in NXDOMAIN cases (reported by https://github.com/SivaKesava1, see yadifa/yadifa#11) - Adds patch for musl support - Adds stack size fix for musl support (the default size is way too small) - Now imports a custom version of stdatomic.h for systems where it is missing, located in dnscore/thirdpary/stdatomic.h. Made for CentOS 7 and any other release where that file is missing. The import is only active if strictly needed and will only be visible during the build. At the moment, it is not being installed with the other headers. * YAKEYROLLD 2.4.1: - Fixes the handling of incomplete TCP queries. - Fixes a possible race-condition when initialising the keyroll context error codes. - The keyroll now has another automatic recovery layer where it completely restarts the handling of a domain, generating a one-step update to put the zone in the expected state. Full changelog at https://github.com/yadifa/yadifa/blob/master/ChangeLog And while here, reformat Makefile according to portfmt and portclippy PR: 252107 Submitted by: Leo Vandewoestijne <freebsd@dns.company> (maintainer) Reviewed by: osa (mentor) Approved by: osa (mentor) Differential Revision: https://reviews.freebsd.org/D27808
Jehops
pushed a commit
to Jehops/freebsd-ports-legacy
that referenced
this issue
Jan 1, 2021
* YADIFA 2.4.1-public: - Fixes an issue in dnscore where a DNS TCP query would not return the real DNS error code. - Fixes an issue that could happen when a network model isn't supported. - Fixes the propagation of sendmmsg/recvmmsg function availability detection. - Fixes an issue where yadifad would issue a warning when a key with algorithm > 7 is used with an NSEC zone. - Fixes an issue that will occur on a chrooted environment where a managed-path would be used incorrectly. - Fixes CNAME answers not following the aliases chain. - Fixes CNAME recursion not returning the same answer as named in NXDOMAIN cases (reported by https://github.com/SivaKesava1, see yadifa/yadifa#11) - Adds patch for musl support - Adds stack size fix for musl support (the default size is way too small) - Now imports a custom version of stdatomic.h for systems where it is missing, located in dnscore/thirdpary/stdatomic.h. Made for CentOS 7 and any other release where that file is missing. The import is only active if strictly needed and will only be visible during the build. At the moment, it is not being installed with the other headers. * YAKEYROLLD 2.4.1: - Fixes the handling of incomplete TCP queries. - Fixes a possible race-condition when initialising the keyroll context error codes. - The keyroll now has another automatic recovery layer where it completely restarts the handling of a domain, generating a one-step update to put the zone in the expected state. Full changelog at https://github.com/yadifa/yadifa/blob/master/ChangeLog And while here, reformat Makefile according to portfmt and portclippy PR: 252107 Submitted by: Leo Vandewoestijne <freebsd@dns.company> (maintainer) Reviewed by: osa (mentor) Approved by: osa (mentor) Differential Revision: https://reviews.freebsd.org/D27808 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@559762 35697150-7ecd-e111-bb59-0022644237b5
svmhdvn
pushed a commit
to svmhdvn/freebsd-ports
that referenced
this issue
Jan 10, 2024
* YADIFA 2.4.1-public: - Fixes an issue in dnscore where a DNS TCP query would not return the real DNS error code. - Fixes an issue that could happen when a network model isn't supported. - Fixes the propagation of sendmmsg/recvmmsg function availability detection. - Fixes an issue where yadifad would issue a warning when a key with algorithm > 7 is used with an NSEC zone. - Fixes an issue that will occur on a chrooted environment where a managed-path would be used incorrectly. - Fixes CNAME answers not following the aliases chain. - Fixes CNAME recursion not returning the same answer as named in NXDOMAIN cases (reported by https://github.com/SivaKesava1, see yadifa/yadifa#11) - Adds patch for musl support - Adds stack size fix for musl support (the default size is way too small) - Now imports a custom version of stdatomic.h for systems where it is missing, located in dnscore/thirdpary/stdatomic.h. Made for CentOS 7 and any other release where that file is missing. The import is only active if strictly needed and will only be visible during the build. At the moment, it is not being installed with the other headers. * YAKEYROLLD 2.4.1: - Fixes the handling of incomplete TCP queries. - Fixes a possible race-condition when initialising the keyroll context error codes. - The keyroll now has another automatic recovery layer where it completely restarts the handling of a domain, generating a one-step update to put the zone in the expected state. Full changelog at https://github.com/yadifa/yadifa/blob/master/ChangeLog And while here, reformat Makefile according to portfmt and portclippy PR: 252107 Submitted by: Leo Vandewoestijne <freebsd@dns.company> (maintainer) Reviewed by: osa (mentor) Approved by: osa (mentor) Differential Revision: https://reviews.freebsd.org/D27808
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
This is related to if 'A CNAME B' exists in a zone, but B (related to the same zone) does not exist, then the return code should be NXDOMAIN. RFC 6604 mentions that
YADIFA already does not follow CNAME chains, as mentioned in #10, but even for a single CNAME one, it does not return the rcode properly.
Consider the following sample zone file:
For the query <b.c.example.com. , A>, the YADIFA server returns the following response:
Expected:
The expected response is the same as above except that the
rcode
should beNXDOMAIN.
The text was updated successfully, but these errors were encountered: