Report information
The Basics
Id:
47109
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Neulinger, Nathan <nneul@mst.edu>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.12.1
Version Found:
9.12.0
Versions Affected:
(no value)
Versions Planned:
9.12.1
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Attachments
cname.diff
Dates
Created:Fri, 02 Feb 2018 12:56:17 -0500
Updated:Fri, 02 Feb 2018 17:27:26 -0500
Closed:Fri, 02 Feb 2018 14:44:07 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Fri, 02 Feb 2018 12:56:18 -0500 Neulinger, Nathan <nneul@mst.edu> - Ticket created
Date: Fri, 2 Feb 2018 11:56:11 -0600
To: bind-bugs@isc.org
From: "Nathan Neulinger" <nneul@mst.edu>
Subject: Changes in 9.12 (related to additional-from changes?) break functionality of a recursive resolver that has cnames crossing zones

Scenario: Recursive resolver host that is either A) Authoritative master for zones srv.example.com and example.com B) Authoritative ixfr slave for zones srv.example.com and example.com With 9.11, a lookup of 'service.example.com' that is a cname to 'server.srv.example.com' will return the cname and the A record. With 9.12, it returns only the cname, expecting the client system to do the recursion to the second zone. I can understand this new behavior on a normal master server for multiple zones - since that should not be getting queried by clients that don't do their own recursive lookups. However, for a server that has recursion enabled - it shouldn't be sending back a partial response like this and expecting the client system to do the recursion since that will break any normal desktop client system. Another way of looking at it would be if I had a recursive-only (no slave zones) server - it would work fine. The moment I enhance that recursive server by giving it a full authoritative copy of the zones - it breaks. If the expectation/statement going forward is that a bind 9.12 recursive server cannot also be authoritative slave, then that should be called out much more blatantly in release notes. -- Nathan ------------------------------------------------------------ Nathan Neulinger nneul@mst.edu Missouri S&T Information Technology (573) 612-1412 System Administrator - Architect
  Fri, 02 Feb 2018 13:38:34 -0500 Evan Hunt <each@isc.org> - Correspondence added
Date: Fri, 2 Feb 2018 18:38:31 +0000
CC:
Subject: Re: [ISC-Bugs #47109] Changes in 9.12 (related to additional-from changes?) break functionality of a recursive resolver that has cnames crossing zones
To: "Neulinger, Nathan via RT" <bind9-confidential@isc.org>
From: "Evan Hunt" <each@isc.org>

Thank you for the report. This is a known bug; the restriction of cross-zone CNAMEs was being incorrectly applied to recursive queries as well as authoritative. (The bug has existed for a long time, actually, but was masked by another one that went away when we removed additional-from-auth.) Someone else reported the same issue last week, and it's already been fixed for the 9.12.1 maintenance release. If you wish you can pull an updated version of the v9_12 branch from our source repository (source.isc.org), or apply the attached patch.
cname.diff

Message body is not shown because sender requested not to inline it.

Fri, 02 Feb 2018 13:38:36 -0500 The RT System itself - Status changed from 'new' to 'open'
Fri, 02 Feb 2018 13:38:46 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
  Fri, 02 Feb 2018 13:39:38 -0500 Neulinger, Nathan <nneul@mst.edu> - Correspondence added
From: "Nathan Neulinger" <nneul@mst.edu>
To: bind9-confidential@isc.org
Date: Fri, 2 Feb 2018 12:39:29 -0600
Subject: Re: [ISC-Bugs #47109] Changes in 9.12 (related to additional-from changes?) break functionality of a recursive resolver that has cnames crossing zones

Thank you! On 2/2/18 12:38 PM, Evan Hunt via RT wrote: > Thank you for the report. This is a known bug; the restriction of > cross-zone CNAMEs was being incorrectly applied to recursive queries as > well as authoritative. (The bug has existed for a long time, actually, > but was masked by another one that went away when we removed > additional-from-auth.) Someone else reported the same issue last week, > and it's already been fixed for the 9.12.1 maintenance release. > > If you wish you can pull an updated version of the v9_12 branch from our > source repository (source.isc.org), or apply the attached patch. > -- ------------------------------------------------------------ Nathan Neulinger nneul@mst.edu Missouri S&T Information Technology (573) 612-1412 System Administrator - Architect
Fri, 02 Feb 2018 13:39:41 -0500 The RT System itself - Status changed from 'resolved' to 'open'
Fri, 02 Feb 2018 13:42:23 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
  Fri, 02 Feb 2018 13:49:34 -0500 Neulinger, Nathan <nneul@mst.edu> - Correspondence added
Subject: Re: [ISC-Bugs #47109] Changes in 9.12 (related to additional-from changes?) break functionality of a recursive resolver that has cnames crossing zones
To: bind9-confidential@isc.org
Date: Fri, 2 Feb 2018 12:49:28 -0600
From: "Nathan Neulinger" <nneul@mst.edu>

If you can make this public that would be appreciated. -- Nathan On 2/2/18 12:39 PM, Neulinger, Nathan via RT wrote: > Thank you! > > On 2/2/18 12:38 PM, Evan Hunt via RT wrote: >> Thank you for the report. This is a known bug; the restriction of >> cross-zone CNAMEs was being incorrectly applied to recursive queries as >> well as authoritative. (The bug has existed for a long time, actually, >> but was masked by another one that went away when we removed >> additional-from-auth.) Someone else reported the same issue last week, >> and it's already been fixed for the 9.12.1 maintenance release. >> >> If you wish you can pull an updated version of the v9_12 branch from our >> source repository (source.isc.org), or apply the attached patch. >> > -- ------------------------------------------------------------ Nathan Neulinger nneul@mst.edu Missouri S&T Information Technology (573) 612-1412 System Administrator - Architect
Fri, 02 Feb 2018 13:49:35 -0500 The RT System itself - Status changed from 'resolved' to 'open'
Fri, 02 Feb 2018 14:44:07 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Fri, 02 Feb 2018 17:24:54 -0500 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Fri, 02 Feb 2018 17:27:26 -0500 Vicky Risk <vicky@isc.org> - Version Fixed 9.12.1 added
Fri, 02 Feb 2018 17:27:26 -0500 Vicky Risk <vicky@isc.org> - Versions Planned 9.12.1 added
Fri, 02 Feb 2018 17:27:26 -0500 Vicky Risk <vicky@isc.org> - Version Found 9.12.0 added