Opened 14 months ago

#6662 defect new

twisted.names.authority.FileAuthority should not respond authoritatively for glue records whose names are outside its zone

Reported by: rwall Owned by:
Priority: normal Milestone:
Component: names Keywords:
Cc: Branch:
Author: Launchpad Bug:

Description

FileAuthority._lookup currently assumes that any records in its dictionary can be included in answers and should be marked authoritative...even glue records whose names fall within the authority of a child zone.

The result of this is that the message returned to the client may contain glue records in the answers section and may be marked authoritative.

For example given the following change to the example zone

Index: doc/names/howto/listings/names/example-domain.com
===================================================================
--- doc/names/howto/listings/names/example-domain.com	(revision 39437)
+++ doc/names/howto/listings/names/example-domain.com	(working copy)
@@ -33,5 +33,8 @@
     CNAME('ftp.example-domain.com', 'example-domain.com'),
 
     MX('example-domain.com', 0, 'mail.example-domain.com'),
-    A('mail.example-domain.com', '123.0.16.43')
+    A('mail.example-domain.com', '123.0.16.43'),
+
+    NS('subdomain.example-domain.com', 'ns1.subdomain.example-domain.com'),
+    A('ns1.subdomain.example-domain.com', '123.0.16.43'),

Run a local twistd dns server

./bin/twistd -n dns --port 10053 --pyzone=doc/names/howto/listings/names/example-domain.com

Then send a query for the glue record using dig

$ dig -p 10053  @127.0.0.1 ns1.subdomain.example-domain.com A +norecurse 

; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.fc19 <<>> -p 10053 @127.0.0.1 ns1.subdomain.example-domain.com A +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44286
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.subdomain.example-domain.com. IN	A

;; ANSWER SECTION:
ns1.subdomain.example-domain.com. 3600 IN A	123.0.16.43

;; Query time: 1 msec
;; SERVER: 127.0.0.1#10053(127.0.0.1)
;; WHEN: Sat Aug 03 01:13:41 BST 2013
;; MSG SIZE  rcvd: 66

The flag "aa" shows that the response has been marked authoritative.

Compare this to a query for twistedmatrix.com glue from one of the gtld servers.

$ dig @a.gtld-servers.net. ns1.twistedmatrix.com NS +norecurse

; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.fc19 <<>> @a.gtld-servers.net. ns1.twistedmatrix.com NS +norecurse
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40266
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.twistedmatrix.com.		IN	NS

;; AUTHORITY SECTION:
twistedmatrix.com.	172800	IN	NS	ns1.twistedmatrix.com.
twistedmatrix.com.	172800	IN	NS	ns2.twistedmatrix.com.

;; ADDITIONAL SECTION:
ns1.twistedmatrix.com.	172800	IN	A	66.35.39.66
ns2.twistedmatrix.com.	172800	IN	A	184.106.136.126

;; Query time: 132 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Sat Aug 03 01:15:45 BST 2013
;; MSG SIZE  rcvd: 114

Change History (0)

Note: See TracTickets for help on using tickets.