X-Scanned-BY: CanIt (www . roaringpenguin . com) X-Canit-Stats-ID: Bayes signature not available MIME-Version: 1.0 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-Canit-Geo: ip=2001:620:0:e::69; country=CH Content-Type: text/plain; charset=utf-8 Message-ID: <5437D457.7010608@switch.ch> X-Spam-Score: undef - relay 2001:620:0:e::69 marked with skip_spam_scan Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 11FC42D2004F for ; Fri, 10 Oct 2014 12:43:12 +0000 (UTC) Received: from iberico.switch.ch (iberico.switch.ch [IPv6:2001:620:0:14::27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 8FB9E349314 for ; Fri, 10 Oct 2014 12:43:08 +0000 (UTC) Received: from surlej.switch.ch (surlej.switch.ch [IPv6:2001:620:0:e::69]) by iberico.switch.ch (8.14.4/8.14.4/Debian-4) with ESMTP id s9ACh38M021019 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 10 Oct 2014 14:43:04 +0200 Received: from [2001:620:0:49:8d07:9772:f046:df74] (helo=macdst.switch.ch) by surlej.switch.ch with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1XcZXD-0001Lq-Ft for bind9-bugs@isc.org; Fri, 10 Oct 2014 14:43:03 +0200 Delivered-To: bind9-bugs@bugs.isc.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 Subject: zone_name case-sensitivity preferred for dns response Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Fri, 10 Oct 2014 14:43:03 +0200 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org X-Canitpro-Stream: switch-ch:outbound (inherits from switch-ch:default,base:default) To: bind9-bugs@isc.org Content-Transfer-Encoding: 8bit From: Daniel Stirnimann X-RT-Original-Encoding: utf-8 Content-Length: 2335 Hello We found out that case-sensitivity from the zone_name in a zone statement is preferred over what is defined in the zone itself. Example zone_name with upper-case ORG.: zone "example.ORG." { type master; masterfile-format text; file "example.org/zone.publish"; }; Whereas the zone example.org. only contains lower case letters: cat zone.publish (example.org) example.org. 86400 IN SOA scsnms.switch.ch. dns-operation.switch.ch. 2014101000 28800 7200 604800 1800 example.org. 86400 IN NS ns2.switch.ch. example.org. 86400 IN NS scsnms.switch.ch. The authoritative name server (running BIND 9.9.5) response now contains "example.ORG." in the authority response. dig @bamus.switch.ch example.org ; <<>> DiG 9.8.3-P1 <<>> @bamus.switch.ch example.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43089 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.org. IN A ;; AUTHORITY SECTION: example.ORG. 1800 IN SOA scsnms.switch.ch. dns-operation.switch.ch. 2014101000 28800 7200 604800 1800 ;; Query time: 9 msec ;; SERVER: 2001:620::8:5054:ff:fef6:d929#53(2001:620::8:5054:ff:fef6:d929) ;; WHEN: Fri Oct 10 14:27:51 2014 ;; MSG SIZE rcvd: 106 I think this is a bug. I guess, this response is due to the change in case-sensitive response compression, https://kb.isc.org/article/AA-01113 introduced in BIND 9.9.5. However, in my opinion, BIND should not preserve its case from the zone_name clause but only from the zone itself. We ran into this problem for the TLD .ch as one of the secondary name servers had the zone_name clause in upper case. While this is perfectly legal and no harm is caused by this, some misbehaving client devices noticed this which is why we found out about it. Of course, we have sent bug reports to the misbehaving client devices. On the other hand, we also think that the behavior of BIND in preferring the case of the zone_name clause above the name defined in the zone is wrong. Thank you, Daniel -- SWITCH Daniel Stirnimann, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 16 24 daniel.stirnimann@switch.ch, http://www.switch.ch