Bug #41900 for bind9-public: Unpresentable records cause AXFR failure?

Wed, 09 Mar 2016 15:53:31 -0500 Robert Edmonds <edmonds@mycre.ws> - Ticket created

Subject:	Unpresentable records cause AXFR failure?
Date:	Wed, 9 Mar 2016 15:53:25 -0500
To:	bind9-bugs@isc.org
From:	"Robert Edmonds" <edmonds@mycre.ws>

Hi, According to the following erratum reported against RFC 6844: https://www.rfc-editor.org/errata_search.php?rfc=6844&eid=4061 Evan Hunt> Since the text representation of the tag field is unquoted, spaces and other whitespace must be explicitly excluded. Otherwise, it is possible to create a CAA record whose text representation cannot be parsed. Kathleen Moriarty> The author believes SHOULD is correct here. The protocol on the wire will work just fine if someone breaks this advice. Yes, it might well break some zone file parsers. But those aren't on the wire and that type of incompatibility is exactly what I would expect from violating a SHOULD. Code has to work if someone creates a RR with a non conformant label, therefore a MUST does not saves any work. And the only circumstance in which the editor can imagine someone using it would be where they wanted a label that could not be inserted through normal zone files. This is kind of surprising. Off hand, I can't think of another DNS RR specification that intentionally created an RR type that "will work just fine" on the wire but has no valid canonical presentation format. I decided to test what would happen if I put a deliberately unrepresentable CAA record in a zone file. I put a CAA record like this in a test zone on a nameserver that doesn't have CAA support: caa TYPE257 \# 03 00 01 20 The tag value is a single ASCII space character, which trips the behavior reported in the erratum. As far as I can tell, this record should "work just fine" on the wire, according to RFC 6844: Tag Length: A single octet containing an unsigned integer specifying the tag length in octets. The tag length MUST be at least 1 and SHOULD be no more than 15. Tag: The property identifier, a sequence of US-ASCII characters. Tag values MAY contain US-ASCII characters 'a' through 'z', 'A' through 'Z', and the numbers 0 through 9. Tag values SHOULD NOT contain any other characters. Matching of tag values is case insensitive. It violates the "SHOULD NOT contain any other characters", which the IETF has apparently determined is definitely a SHOULD NOT and not a MUST NOT. dig, named, and named-checkzone from BIND 9.10.3 all barfed on this record: $ dig +norec @70.89.251.90 -t CAA caa.test.mycre.ws ;; Got bad packet: FORMERR 79 bytes 33 30 84 00 00 01 00 01 00 01 00 01 03 63 61 61 30...........caa 04 74 65 73 74 05 6d 79 63 72 65 02 77 73 00 01 .test.mycre.ws.. 01 00 01 c0 0c 01 01 00 01 00 00 0e 10 00 03 00 ................ 01 20 c0 10 00 02 00 01 00 00 0e 10 00 06 03 62 ...............b 73 74 c0 15 00 00 29 04 c4 00 00 00 00 00 00 st....)........ $ dig +norec @70.89.251.90 -t AXFR test.mycre.ws ;; Got bad packet: FORMERR 170 bytes b4 11 80 00 00 01 00 05 00 00 00 00 04 74 65 73 .............tes 74 05 6d 79 63 72 65 02 77 73 00 00 fc 00 01 c0 t.mycre.ws...... 0c 00 06 00 01 00 00 0e 10 00 23 c0 11 0a 68 6f ..........#...ho 73 74 6d 61 73 74 65 72 c0 11 78 2a 30 bc 00 00 stmaster..x*0... 1c 20 00 00 0e 10 00 09 3a 80 00 00 0e 10 c0 0c ........:....... 00 02 00 01 00 00 0e 10 00 06 03 62 73 74 c0 11 ...........bst.. 03 63 61 61 c0 0c 01 01 00 01 00 00 0e 10 00 03 .caa............ 00 01 20 02 6e 73 c0 0c 00 01 00 01 00 00 0e 10 ....ns.......... 00 04 46 59 fb 5a c0 0c 00 06 00 01 00 00 0e 10 ..FY.Z.......... 00 18 c0 11 c0 2d 78 2a 30 bc 00 00 1c 20 00 00 .....-x*0....... 0e 10 00 09 3a 80 00 00 0e 10 ....:..... $ named-checkzone test.mycre.ws /tmp/test.mycre.ws dns_rdata_fromtext: /tmp/test.mycre.ws:19: near eol: FORMERR zone test.mycre.ws/IN: loading from master file /tmp/test.mycre.ws failed: FORMERR zone test.mycre.ws/IN: not loaded due to errors. $ named -g [...] [...] 09-Mar-2016 15:10:08.883 zone test.mycre.ws/IN: Transfer started. 09-Mar-2016 15:10:08.883 transfer of 'test.mycre.ws/IN' from 70.89.251.90#53: connected using 70.89.251.89#55534 09-Mar-2016 15:10:08.883 transfer of 'test.mycre.ws/IN' from 70.89.251.90#53: failed while receiving responses: FORMERR 09-Mar-2016 15:10:08.883 transfer of 'test.mycre.ws/IN' from 70.89.251.90#53: Transfer status: FORMERR 09-Mar-2016 15:10:08.883 transfer of 'test.mycre.ws/IN' from 70.89.251.90#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) This is surprising. I was expecting named-checkzone to fail, and it's not too surprising that dig refused to print the message, but having the AXFR fail is quite interesting, because there is no presentation format involved (AFAIK), because named uses the "raw zone format" to store XFR'd zones. Just for chuckles, I violated a different key word in RFC 6844: "The tag length MUST be at least 1 and SHOULD be no more than 15" with the following record data: TYPE257 \# 18 00 10 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 This one has a 16 octet tag (consisting of 16 presentable "a"'s), and thus a tag length of 16 (which is one more than 15), thus it violates the SHOULD. This record is processed and presented just fine by BIND. Of course, this violation doesn't actually result in something impossible to parse. So, I'm kind of curious why violating a "SHOULD NOT" causes a red alert, up to and including causing zone transfers to fail, while violating a "SHOULD" is no big deal. (I realize SHOULD and SHOULD NOT are not quite symmetrical, but they are darn close.) -- Robert Edmonds

Wed, 09 Mar 2016 16:46:32 -0500 Evan Hunt <each@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Wed, 9 Mar 2016 21:46:31 +0000
To:	"Robert Edmonds via RT" <bind9-bugs@isc.org>
From:	"Evan Hunt" <each@isc.org>

I did that RR type implementation several months before I got the response from the author on the proposed erratum. Under the supposition that the author would agree with my obvious correctness, I put in a requirement that all characters in labels be alphanumeric. As it turned out my correctness wasn't obvious to the author after all, and perhaps I should have revisted the coding decision then. The problem is, if BIND receives a zone transfer containing a record like this, it's quite likely to dump a copy of the zone to disk, and if it's using masterformat "text", then it won't be able to reload the zone afterward. This admittedly isn't a huge problem -- it wastes time on unnecessary retransfers, and wastes disk space on copies of the "bad" zone file left around for inpsection, but it doesn't prevent the server from working -- but it is a problem. It really should've been caught before the CAA code point was issued. Anyway, removing the following lines from lib/dns/rdata/generic/caa_257.c should make the FORMERR go away: /* Check the Tag's value */ for (i = 0; i < len; i++) if (!alphanumeric[sr.base[i]]) RETERR(DNS_R_FORMERR);

Wed, 09 Mar 2016 16:46:33 -0500 The RT System itself - Status changed from 'new' to 'open'

Wed, 09 Mar 2016 17:14:48 -0500 Robert Edmonds <edmonds@mycre.ws> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Wed, 9 Mar 2016 17:14:44 -0500
To:	"Evan Hunt via RT" <bind9-bugs@isc.org>
From:	"Robert Edmonds" <edmonds@mycre.ws>

Hi, Evan: It does seem pretty bizarre that an RR would be defined that can have valid on-the-wire RRs that have no corresponding canonical presentation format. In the case where you have to render an unpresentable CAA record (for instance because you might be writing a text master file format zone to disk), couldn't you just fall back on RFC 3597 generic presentation format for the record data? E.g., caa.example. IN CAA \# 03 00 01 20 That would be a lot better than failing the zone transfer entirely. If the argument is that an on-the-wire RR might eventually make its way into a code path that might cause the wire RR to be rendered to its canonical presentation format, then maybe the erratum should be approached from the other direction: instead of trying to ban unpresentable characters from the wire format (like in your original erratum) in section 5.1, relax the requirements on the canonical presentation format in section 5.1.1 so that the presentation format can encompass all possible wire values. (Maybe require \DDD escapes for non-alphanumeric characters, so you would write ASCII space as "\032".) Evan Hunt via RT wrote: > I did that RR type implementation several months before I got the response > from the author on the proposed erratum. Under the supposition that the > author would agree with my obvious correctness, I put in a requirement > that all characters in labels be alphanumeric. > > As it turned out my correctness wasn't obvious to the author after all, > and perhaps I should have revisted the coding decision then. > > The problem is, if BIND receives a zone transfer containing a record like > this, it's quite likely to dump a copy of the zone to disk, and if it's > using masterformat "text", then it won't be able to reload the zone > afterward. This admittedly isn't a huge problem -- it wastes time on > unnecessary retransfers, and wastes disk space on copies of the "bad" > zone file left around for inpsection, but it doesn't prevent the server > from working -- but it is a problem. It really should've been caught > before the CAA code point was issued. > > Anyway, removing the following lines from lib/dns/rdata/generic/caa_257.c > should make the FORMERR go away: > > /* Check the Tag's value */ > for (i = 0; i < len; i++) > if (!alphanumeric[sr.base[i]]) > RETERR(DNS_R_FORMERR); -- Robert Edmonds

Wed, 09 Mar 2016 17:43:08 -0500 Evan Hunt <each@isc.org> - Correspondence added

CC:
Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Wed, 9 Mar 2016 22:43:07 +0000
To:	"Robert Edmonds via RT" <bind9-bugs@isc.org>
From:	"Evan Hunt" <each@isc.org>

On Wed, Mar 09, 2016 at 10:14:48PM +0000, Robert Edmonds via RT wrote: > In the case where you have to render an unpresentable CAA record (for > instance because you might be writing a text master file format zone to > disk), couldn't you just fall back on RFC 3597 generic presentation > format for the record data? E.g., > > caa.example. IN CAA \# 03 00 01 20 Very smart suggestion, thank you.

Wed, 09 Mar 2016 19:04:12 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 11:04:05 +1100
To:	bind9-bugs@isc.org
From:	"Mark Andrews" <marka@isc.org>

https://www.ietf.org/archive/id/draft-hallambaker-donotissue-04.txt This is what was used to allocate the typecode. Note the MUST NOT. Tag The property identifier, a sequence of ASCII characters. Tag values MAY contain ASCII characters a through z and the numbers 0 through 9. Tag values MUST NOT contain any other characters. Matching of tag values is case insensitive. I don't care what RFC 6844 says here. Once the code point is allocated the code point format is frozen. This is the direct result of changing the specification after the fact. The IESG should have rejected the change. There is zero need for anything other than ASCII here as it is a protocol element. RFC 6844 also has: Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower case. Which makes the RFC 6844 self contradictory. It is either this sequence or it isn't. Mark In message <rt-4.2.8-32120-1457563388-363.41900-4-0@isc.org>, "Evan Hunt via RT " writes: > On Wed, Mar 09, 2016 at 10:14:48PM +0000, Robert Edmonds via RT wrote: > > In the case where you have to render an unpresentable CAA record (for > > instance because you might be writing a text master file format zone to > > disk), couldn't you just fall back on RFC 3597 generic presentation > > format for the record data? E.g., > > > > caa.example. IN CAA \# 03 00 01 20 > > Very smart suggestion, thank you. > > > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=41900 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Wed, 09 Mar 2016 19:18:34 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 11:18:29 +1100
To:	bind9-bugs@isc.org
From:	"Mark Andrews" <marka@isc.org>

People also expect nameservers to reject garbage in records which is what named and dig are doing when they can. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Wed, 09 Mar 2016 19:24:42 -0500 Robert Edmonds <edmonds@mycre.ws> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Wed, 9 Mar 2016 19:24:39 -0500
To:	"Mark Andrews via RT" <bind9-bugs@isc.org>
From:	"Robert Edmonds" <edmonds@mycre.ws>

Mark Andrews via RT wrote: > I don't care what RFC 6844 says here. Once the code point is > allocated the code point format is frozen. Hi, Mark: In that case, why does BIND implement the URI RR format as specified by RFC 7553 (actually, draft-faltstrom-uri-08), and not the URI RR format as specified by the I-D at the point in time the URI RR type code point was allocated? 3906. [protocol] Update URI record format to comply with draft-faltstrom-uri-08. [RT #36642] -- Robert Edmonds

Wed, 09 Mar 2016 19:35:49 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 11:35:38 +1100
To:	bind9-bugs@isc.org
From:	"Mark Andrews" <marka@isc.org>

In message <rt-4.2.8-32120-1457569482-131.41900-4-0@isc.org>, "Robert Edmonds v ia RT" writes: > Mark Andrews via RT wrote: > > I don't care what RFC 6844 says here. Once the code point is > > allocated the code point format is frozen. I also asked PHB about it and he confirmed it was ASCII only. This needs a erratra to say it is ASCII only. > Hi, Mark: > > In that case, why does BIND implement the URI RR format as specified by > RFC 7553 (actually, draft-faltstrom-uri-08), and not the URI RR format > as specified by the I-D at the point in time the URI RR type code point > was allocated? > > 3906. [protocol] Update URI record format to comply with > draft-faltstrom-uri-08. [RT #36642] Yes, I'm aware of that. I also don't like the change. One of the problems with expert review is that sloppy specs get through. > -- > Robert Edmonds > > > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=41900 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Wed, 09 Mar 2016 20:58:47 -0500 Evan Hunt <each@isc.org> - Correspondence added

CC:
Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 01:58:46 +0000
To:	"Mark Andrews via RT" <bind9-bugs@isc.org>
From:	"Evan Hunt" <each@isc.org>

On Thu, Mar 10, 2016 at 12:18:34AM +0000, Mark Andrews via RT wrote: > People also expect nameservers to reject garbage in records which is > what named and dig are doing when they can. See my previous statement about obvious correctness. However, since other implementors are likely to follow the RFC and allow nonalphanumeric characters, and this will affect interoperability, I think Robert's suggestion of allowing such records in wire-format but switching to unknown-type format when rendering them to text is a pretty good one.

Wed, 09 Mar 2016 21:26:14 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 13:26:06 +1100
To:	bind9-bugs@isc.org
From:	"Mark Andrews" <marka@isc.org>

In message <rt-4.2.8-31497-1457575127-736.41900-4-0@isc.org>, "Evan Hunt via RT " writes: > On Thu, Mar 10, 2016 at 12:18:34AM +0000, Mark Andrews via RT wrote: > > People also expect nameservers to reject garbage in records which is > > what named and dig are doing when they can. > > See my previous statement about obvious correctness. However, since > other implementors are likely to follow the RFC and allow nonalphanumeric > characters, and this will affect interoperability, I think Robert's > suggestion of allowing such records in wire-format but switching to > unknown-type format when rendering them to text is a pretty good one. No, it won't. You need people to publish non ASCII tags which means first people need to decide to use a non ASCII tag in contravention of lots of text saying to only use ASCII. You also need to get them added to the Certification Authority Restriction Properties registry run by IANA. They then will be published as \DDD encoded strings by all the DNS tools if we were to permit non ASCII to pass. DNS developers testing ambigious corner cases will do this but no one else ever will. There is no need for non ASCII here. Tags are like SMTP commands. They don't need to be anything other than ASCII as they are not for human consumption. These records are designed to be consumed by machines automatically checking if particular operations are permitted. The RFC itself needs to be fixed. It is self contradictory. One of the following needs to be changed. Tag values MAY contain US-ASCII characters 'a' through 'z', 'A' through 'Z', and the numbers 0 through 9. Tag values SHOULD NOT contain any other characters. Matching of tag values is case insensitive. or Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower case. We don't need to do anything until that is decided. Mark > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=41900 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Thu, 10 Mar 2016 13:57:13 -0500 Robert Edmonds <edmonds@mycre.ws> - Correspondence added

Subject:	Re: [ISC-Bugs #41900] Unpresentable records cause AXFR failure?
Date:	Thu, 10 Mar 2016 13:57:08 -0500
To:	"Mark Andrews via RT" <bind9-bugs@isc.org>
From:	"Robert Edmonds" <edmonds@mycre.ws>

Hi, Mark Andrews via RT wrote: > DNS developers testing ambigious corner cases will do this but no > one else ever will. Better to test the heck out of the ambiguous corner cases than not, IMHO. I also happen to think that ambiguous corner cases shouldn't cause zone transfer failures... > The RFC itself needs to be fixed. It is self contradictory. > > One of the following needs to be changed. > > Tag values MAY contain US-ASCII characters 'a' through 'z', 'A' > through 'Z', and the numbers 0 through 9. Tag values SHOULD NOT > contain any other characters. Matching of tag values is case > insensitive. > > or > > Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower > case. I actually don't think these two excerpts are contradictory at all. §5.1 ("Syntax") is describing the wire format, while §5.1.1 ("Canonical Presentation Format") is describing the presentation format. The reasoning in the rejection of erratum 4061 explicitly says that they can differ. Now, I disagree with the reasoning in the rejection of erratum 4061 and it smells like a post-hoc rationalization for a dumb mistake in the spec to me, and I think RRTYPE specifications should be required to have 1-to-1 convertibility between wire formats and canonical presentation formats (i.e., without resorting to generic RFC 3597 presentation format). I don't know of any text anywhere that explicitly requires that currently, though. -- Robert Edmonds

Thu, 17 Mar 2016 09:07:04 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added

Thu, 17 Mar 2016 09:07:04 -0400 Stephen Morris <stephen@isc.org> - Severity S2 Normal added

Thu, 17 Mar 2016 09:07:04 -0400 Stephen Morris <stephen@isc.org> - Area bug added

Thu, 17 Mar 2016 09:07:05 -0400 Stephen Morris <stephen@isc.org> - Component BIND Server added

Mon, 10 Jul 2017 13:58:02 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public

Created:	Wed, 09 Mar 2016 15:53:31 -0500
Updated:	Mon, 10 Jul 2017 13:58:02 -0400
Closed:	Not set

Bug #41900 for bind9-public: Unpresentable records cause AXFR failure?

This bug tracker is no longer active.