[Pdns-dev] [PATCH] Possible wildcard bug
Mike Wilson
geekinutah at gmail.com
Thu Feb 17 11:13:28 CET 2011
Hey noticed this while testing PowerDNS Authoritative Nameserver
2.9.22. Here's my config file:
logging-facility=0
skip-cname=no
launch=gmysql
gmysql-user=pdns
gmysql-password=*secret*
gmysql-dbname=pdns
loglevel=9
wildcards=yes
daemon=yes
soa-expire-default=300
soa-minimum-ttl=60
distributor-threads=1
out-of-zone-additional-processing=yes
recursor=8.8.8.8
Lets say I have have a wildcard record pointing to 1.1.1.1 for zone. I
also have example.zone in my database. When I query the nameserver for
nonexistentsubdomain.example.zone I would always get 1.1.1.1 as my
answer. I was expecting to get no answer at all rather than the
wildcard for zone. I'm not an expert at DNS, but looking at RFC 1034
it seems like my expectations match with the required behavior and I
cannot find anything in RFC 4592 that would seem to change that.
Specifically, this is the part it seems to violate from section 4.3.3
of RFC 1034:
Wildcard RRs do not apply:
- When the query is in another zone. That is, delegation cancels
the wildcard defaults.
- When the query name or a name between the wildcard domain and
the query name is know to exist. For example, if a wildcard
RR has an owner name of "*.X", and the zone also contains RRs
attached to B.X, the wildcards would apply to queries for name
Z.X (presuming there is no explicit information for Z.X), but
not to B.X, A.B.X, or X.
I wrote a patch to correct the behavior if it is indeed a bug. The
patch is included. What do you guys think? I realize that it doesn't
cover the whole case of "the zone also contains RRs attached to B.X",
but checking to see if we are authoritative for that domain would seem
like a good place to stop the wildcard search.
-Mike Wilson
More information about the Pdns-dev
mailing list