Bug #45482 for bind9-public: BIND bug report

Hi, As per Mukund Sivaraman’s suggestion, I am reporting a bug in BIND. This name “sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com” was successfully loaded into a RPZ zone. The label “uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp” is 64 bytes long (> label limit 63 bytes RFC 1035) The sample RPZ zone is listed below. $ORIGIN rpz.example.com. $TTL 1H @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. ; QNAME policy records. ; Note: There are no periods (.) after the (relativised) owner names. sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com A 10.0.0.1 ; redirect to walled garden AAAA 2001:2::1 named-checkconf does not report any error about this name. I tested the name using 8.8.8.8 on both Centos 7 and Macbook Pro macOS Sierra. The dig version on Centos 7 is 9.9.4-RedHat-9.9.4-38.el7_3.2 and it always gives ‘NXDOMAIN’ no matter how long the label I changes (I tested 64, 65, 80 bytes long). The results from my Macbook Pro are listed below: The length of uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp is 64 bytes. $ dig @8.8.8.8 sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59096 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com. IN A ;; AUTHORITY SECTION: chinaboca.com. 1799 IN SOA ns9.sinohosting.net. admin.cycomsupport.com. 2017020401 3600 7200 1209600 86400 ;; Query time: 108 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 29 15:16:33 2017 ;; MSG SIZE rcvd: 195 The length of uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66 is 66 bytes OIT-ZY33-ML2:~ zy33$ dig sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66.chinaboca.com dig: 'sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66.chinaboca.com' is not a legal name (label too long) dig should report the name is not a legal name when the label length is 64(>63 bytes), but it reports the issue when the label length is 65. Thanks, Jim On 6/29/17, 2:40 PM, "Mukund Sivaraman" <muks@isc.org> wrote: Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote: > Hi, > > What is the DNS name label length limit? As per RFC 1035, it is 63 > characters. I tested a few DNS names that contains a label that is > longer than 63 characters, and found that these records were > successfully loaded in RPZ zone. I wonder if this is a BIND RPZ > feature or bug (it allows DNS name label that is longer than 63 > characters)? > > When I dig these DNS records using 8.8.8.8, which reports them as > ‘NXDOMAIN’. Can you send us a bug report with a sample RPZ zone that contains such a name? Mukund

---

Hi Jim On Thu, Jun 29, 2017 at 07:39:34PM +0000, Jim Yang via RT wrote: > As per Mukund Sivaraman’s suggestion, I am reporting a bug in BIND. This name “sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com” was successfully loaded into a RPZ zone. > The label “uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp” is 64 bytes long (> label limit 63 bytes RFC 1035) > > The sample RPZ zone is listed below. > > $ORIGIN rpz.example.com. > $TTL 1H > @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) > NS LOCALHOST. > > ; QNAME policy records. > ; Note: There are no periods (.) after the (relativised) owner names. > > sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com A 10.0.0.1 ; redirect to walled garden > AAAA 2001:2::1 From the zone above: [muks@jurassic bind9]$ echo -n "uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp" | wc -c 63 [muks@jurassic bind9]$ That label is not 64 octets long, it is 63 octets long. I have verified by adding an extra octet to this long label that it is then rejected by named-checkzone. Mukund

---

You are correct. I counted the trailing new line in the data file. Sorry for about this confusion. Thanks, Jim On 6/29/17, 4:06 PM, "Mukund Sivaraman via RT" <bind9-confidential@isc.org> wrote: Hi Jim On Thu, Jun 29, 2017 at 07:39:34PM +0000, Jim Yang via RT wrote: > As per Mukund Sivaraman’s suggestion, I am reporting a bug in BIND. This name “sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com” was successfully loaded into a RPZ zone. > The label “uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp” is 64 bytes long (> label limit 63 bytes RFC 1035) > > The sample RPZ zone is listed below. > > $ORIGIN rpz.example.com. > $TTL 1H > @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) > NS LOCALHOST. > > ; QNAME policy records. > ; Note: There are no periods (.) after the (relativised) owner names. > > sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com A 10.0.0.1 ; redirect to walled garden > AAAA 2001:2::1 From the zone above: [muks@jurassic bind9]$ echo -n "uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp" | wc -c 63 [muks@jurassic bind9]$ That label is not 64 octets long, it is 63 octets long. I have verified by adding an extra octet to this long label that it is then rejected by named-checkzone. Mukund

---