Report information
The Basics
Id:
45416
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cathy Almond <cathya@isc.org>
Cc:
AdminCc:
support-comment <support-comment@isc.org>
BugTracker
Version Fixed:
(no value)
Version Found:
9.10.3-P2, 9.11.1-P1
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Utilities
Area:
feature
Dates
Created:Tue, 20 Jun 2017 05:52:20 -0400
Updated:Sun, 19 Nov 2017 08:58:08 -0500
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Tue, 20 Jun 2017 05:52:20 -0400 Cathy Almond <cathya@isc.org> - Ticket created
Subject: named and named-checkzone don't recognise out-of-zone RRsets that are below a delegation point

Reported on 9.10.3-P2 and tested/confirmed on 9.11.1-P1 Neither named nor named-checkzone throw any kind of warning for records in a zone that are "below" a delegation zone cut. $ cat example.com.zone $TTL 86400 example.com. IN SOA a0.nic.example.com. noc.afilias-nst.info. 1497203847 10800 3600 2764800 900 example.com. IN NS a0.nic.example.com. example.com. IN NS b0.nic.example.com. example.com. IN NS c0.nic.example.com. a0.nic.example.com. IN A 128.66.0.1 b0.nic.example.com. IN A 128.66.1.1 c0.nic.example.com. IN A 128.66.2.1 sub.example.com. IN NS ns1.afilias.info. sub.example.com. IN NS ns2.afilias.info. out-of-zone.sub.example.com. IN NS ns1.isc.org. out-of-zone.sub.example.com. IN NS ns2.isc.org. $ named-checkzone -i local example.com example.com.zone zone example.com/IN: loaded serial 1497203847 OK When the zone is loaded by named, the out of zone RRset is included and can be seen from a named dump ("rndc dumpdb -all") but the RRset is inaccessible when querying the server - the response is a referral to the nameservers for sub.example.com. ---- This caused some operational problems as the configuration/delegation error was not spotted and not highlighted by named-checkzone, so took some time to uncover. It's probably unrealistic to expect named itself to spot these problems during zone loading (because of the ordering of the RRset in the zone file - the out-of-zone RRset is actually within the zone, except for the delegation. which could appear anywhere. So would it be possible to add an additional feature/option to named-checkconf that causes a second run through the zone file after parsing it the first time and identifying the delegation points?
Tue, 20 Jun 2017 05:52:51 -0400 Cathy Almond <cathya@isc.org> - Reference to https://support.isc.org/Ticket/Display.html?id=11674 added
Wed, 21 Jun 2017 06:58:29 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
Wed, 21 Jun 2017 06:58:29 -0400 Stephen Morris <stephen@isc.org> - Area feature added
Wed, 21 Jun 2017 06:58:29 -0400 Stephen Morris <stephen@isc.org> - Component BIND Utilities added
Wed, 21 Jun 2017 06:58:29 -0400 Stephen Morris <stephen@isc.org> - Severity S2 Normal added
  Tue, 27 Jun 2017 08:06:08 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

On Thu Jun 22 20:26:14 2017, muks wrote: > RFC 2136 covers this: > > 7.18. Previously existing names which are occluded by a new zone cut > are still considered part of the parent zone, for the purposes of > zone transfers, even though queries for such names will be referred > to the new subzone's servers. If a zone cut is removed, all parent > zone names that were occluded by it will again become visible to > queries. (This is a clarification of [RFC1034].) > > Occlusion is not an error. A similar situation can occur with DNAME > too. > > Mukund Ah OK - in that case, I think there is nothing we can reasonable do here, unless we think it worthwhile to add a warning. Cathy
Tue, 27 Jun 2017 08:06:09 -0400 The RT System itself - Status changed from 'new' to 'open'
  Tue, 27 Jun 2017 08:13:46 -0400 Mark Andrews <marka@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #45416] named and named-checkzone don't recognise out-of-zone RRsets that are below a delegation point
To: bind9-confidential@isc.org
Date: Tue, 27 Jun 2017 22:12:20 +1000
From: "Mark Andrews" <marka@isc.org>

In message <rt-4.4.1-49360-1498565168-1351.45416-4-0@isc.org>, "Cathy Almond via RT" writes: > On Thu Jun 22 20:26:14 2017, muks wrote: > > RFC 2136 covers this: > > > > 7.18. Previously existing names which are occluded by a new zone cut > > are still considered part of the parent zone, for the purposes of > > zone transfers, even though queries for such names will be referred > > to the new subzone's servers. If a zone cut is removed, all parent > > zone names that were occluded by it will again become visible to > > queries. (This is a clarification of [RFC1034].) > > > > Occlusion is not an error. A similar situation can occur with DNAME > > too. > > > > Mukund > > Ah OK - in that case, I think there is nothing we can reasonable do > here, unless we think it worthwhile to add a warning. Well we could add a mode that checks for non-glue below bottom of zone but it would have to be documented as being beyond what it technically required. This policy not correctness enforcement. > Cathy > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=45416 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
  Tue, 04 Jul 2017 09:26:10 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

> Well we could add a mode that checks for non-glue below bottom of > zone but it would have to be documented as being beyond what it > technically required. This policy not correctness enforcement. It'd be nice to have this as a warning feature (it doesn't need to be specific, just to indicate that there *are* RRsets that are being occluded by subdomain delegation so that the zone owner who has opted to check their zone content, can investigate further themselves. Leaving it here to be considered as a feature request rather than as a bug report.
Tue, 04 Jul 2017 09:27:17 -0400 Cathy Almond <cathya@isc.org> - Subject changed from 'named and named-checkzone don't recognise out-of-zone RRsets that are below a delegation point' to 'named and named-checkzone don't recognise out-of-zone RRsets that are below a delegation point [ISC-Support #11674]'
Tue, 04 Jul 2017 09:28:06 -0400 Cathy Almond <cathya@isc.org> - AdminCc support-comment <support-comment@isc.org> added
Sun, 19 Nov 2017 08:54:58 -0500 Cathy Almond <cathya@isc.org> - Queue changed from #6 to bind9-public
  Sun, 19 Nov 2017 08:56:41 -0500 Cathy Almond <cathya@isc.org> - Correspondence added

New bug ticket https://bugs.isc.org/Ticket/Display.html?id=46624 is similar to this one.
Sun, 19 Nov 2017 08:58:08 -0500 Cathy Almond <cathya@isc.org> - Reference by #46624: BIND 9.10.6 - named-checkzone: Warn on data hidden by delegation added