Bug 922413
Summary: | rollerd parsing of signed zonefile fails | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Glen Eustace <geustace> | ||||||
Component: | dnssec-tools | Assignee: | Wes Hardaker <wjhns174> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | wjhns174 | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | dnssec-tools-1.13-12.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1056277 (view as bug list) | Environment: | |||||||
Last Closed: | 2013-06-04 21:01:54 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Glen Eustace
2013-03-16 18:27:51 UTC
Created attachment 711147 [details]
My solution
My attached patch only supports the new multi-line NSEC3 so parsing of files with single line NSEC3s would now fail. I needed this in a hurry, my DNSSec implementation being snarfu'ed. A more generic solution is probably worth considering. Created attachment 711239 [details]
2nd attempt at a solution.
Hopefully this patch will work for both single and multi-line NSEC3 records.
dnssec-tools-1.13-11.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.fc17 dnssec-tools-1.14-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/dnssec-tools-1.14-5.fc18 dnssec-tools-1.13-11.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.el6 Package dnssec-tools-1.13-11.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-11.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5497/dnssec-tools-1.13-11.el6 then log in and leave karma (feedback). dnssec-tools-1.14-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. dnssec-tools-1.13-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Seems that I need a patch to my patch. One can get NSEC3 records with no TYPEs. --- Fast.pm.orig 2013-05-08 16:40:14.783668525 +1200 +++ Fast.pm 2013-05-08 16:41:22.269388066 +1200 @@ -1248,7 +1248,7 @@ sub parse_nsec3 { #got more data - if ( /\G\s*((\w+\s+)+)\)\s*$/) { + if ( /\G\s*((\w+\s+)*)\)\s*$/) { my $typelist = $1; $typelist = join(" ",sort split(/\s+/,$typelist)); $nsec3->{ 'typelist' } = $typelist; Do you have an example record that it is supposed to match? I am now seeing two different NSEC3 resources being generated both with and without the list of RRs. ... ... JDLSSS5SH3E8G6G5OGJ8N58ICPUI0DED.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 ( JOC9G7NN6R36LNBTAONOINAJD1B5TB3A ) ... ... UK3BPPAJR8JPTGCM8RN0A65IR0MIHU4O.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 ( 4FN8MTCORO6CI3IOOGVCBTI777PNJ5O9 CNAME RRSIG ) ... ... Here's the full entered patch, FYI. I added a test suite for the problem too, and made it deal with single line NSEC3 records without a type field as well. diff --git a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm index 0c931a2..d2b8dd8 100644 --- a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm +++ b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm @@ -983,7 +983,7 @@ sub parse_line } elsif (/\G(nsec3)[ \t]+/igc) { error ("You are missing required modules for NSEC3 support") if (!$nsec3capable); - if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s+(.*?)$pat_skip$/gc) { + if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s*(.*?)$pat_skip$/gc) { # XXX: set the typebm field ourselves? my ($alg, $flags, $iters, $salt, $nxthash, $typelist) = ($1, $2, $3, $4, $5, $6); @@ -1335,7 +1335,7 @@ sub parse_tlsa sub parse_nsec3 { #got more data - if ( /\G\s*((\w+\s+)+)\)\s*$/) { + if ( /\G\s*((\w+\s+)*)\)\s*$/) { my $typelist = $1; $typelist = join(" ",sort split(/\s+/,$typelist)); $nsec3->{ 'typelist' } = $typelist; Modified dnssec-tools/tools/modules/ZoneFile-Fast/t/rr-dnssec.t dnssec-tools-1.13-12.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.fc17 dnssec-tools-1.13-12.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.el6 dnssec-tools-1.14-6.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/dnssec-tools-1.14-6.fc18 Package dnssec-tools-1.13-12.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-12.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5924/dnssec-tools-1.13-12.el6 then log in and leave karma (feedback). dnssec-tools-1.14-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. dnssec-tools-1.13-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. dnssec-tools-1.13-12.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |