Bug 922413

Summary:

rollerd parsing of signed zonefile fails

Product:

[Fedora] Fedora

Reporter:

Glen Eustace <geustace>

Component:

dnssec-tools

Assignee:

Wes Hardaker <wjhns174>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

CC:

wjhns174

Target Milestone:

---

Keywords:

Reopened

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

dnssec-tools-1.13-12.el6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Clones:

1056277 (view as bug list)

Environment:

Last Closed:

2013-06-04 21:01:54 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
My solution	none
2nd attempt at a solution.	none

Description Glen Eustace 2013-03-16 18:27:51 UTC

Description of problem:

dnssec-signzone is now generating multi-line NSEC3 records.  These records are not supported by the DNS::Zonefile::Fast.pm module and hence rollerd aborts.

Version-Release number of selected component (if applicable):

bind 9.9.2-8-P1, dnssec-tools-1.14-2, dnssec-tools-perlmods-1.14-2

How reproducible:

Consistent failure.

Comment 1 Glen Eustace 2013-03-16 18:29:49 UTC

Created attachment 711147 [details]
My solution

Comment 2 Glen Eustace 2013-03-16 21:03:08 UTC

My attached patch only supports the new multi-line NSEC3 so parsing of files with single line NSEC3s would now fail.  I needed this in a hurry, my DNSSec implementation being snarfu'ed.  A more generic solution is probably worth considering.

Comment 3 Glen Eustace 2013-03-16 23:44:01 UTC

Created attachment 711239 [details]
2nd attempt at a solution.

Hopefully this patch will work for both single and multi-line NSEC3 records.

Comment 4 Fedora Update System 2013-04-18 20:32:20 UTC

dnssec-tools-1.13-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.fc17

Comment 5 Fedora Update System 2013-04-18 20:33:33 UTC

dnssec-tools-1.14-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/dnssec-tools-1.14-5.fc18

Comment 6 Fedora Update System 2013-04-18 20:34:18 UTC

dnssec-tools-1.13-11.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.el6

Comment 7 Fedora Update System 2013-04-19 17:05:45 UTC

Package dnssec-tools-1.13-11.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-11.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5497/dnssec-tools-1.13-11.el6
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-05-01 03:26:58 UTC

dnssec-tools-1.14-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-05-01 03:35:31 UTC

dnssec-tools-1.13-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Glen Eustace 2013-05-08 04:49:23 UTC

Seems that I need a patch to my patch.  One can get NSEC3 records with no TYPEs.

--- Fast.pm.orig        2013-05-08 16:40:14.783668525 +1200
+++ Fast.pm     2013-05-08 16:41:22.269388066 +1200
@@ -1248,7 +1248,7 @@
 sub parse_nsec3
   {
       #got more data
-      if ( /\G\s*((\w+\s+)+)\)\s*$/) {
+      if ( /\G\s*((\w+\s+)*)\)\s*$/) {
          my $typelist = $1;
         $typelist = join(" ",sort split(/\s+/,$typelist));
          $nsec3->{ 'typelist' } = $typelist;

Comment 11 Wes Hardaker 2013-05-14 13:43:00 UTC

Do you have an example record that it is supposed to match?

Comment 12 Glen Eustace 2013-05-14 18:43:34 UTC

I am now seeing two different NSEC3 resources being generated both with and without the list of RRs.

...
...
JDLSSS5SH3E8G6G5OGJ8N58ICPUI0DED.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 (
                                        JOC9G7NN6R36LNBTAONOINAJD1B5TB3A
                                         )
...
...
UK3BPPAJR8JPTGCM8RN0A65IR0MIHU4O.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 (
                                        4FN8MTCORO6CI3IOOGVCBTI777PNJ5O9

                                        CNAME RRSIG )
...
...

Comment 13 Wes Hardaker 2013-05-23 20:43:49 UTC

Here's the full entered patch, FYI.  I added a test suite for the problem too, and made it deal with single line NSEC3 records without a type field as well.

diff --git a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
index 0c931a2..d2b8dd8 100644
--- a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
+++ b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
@@ -983,7 +983,7 @@ sub parse_line
       } elsif (/\G(nsec3)[ \t]+/igc) {
 	  error ("You are missing required modules for NSEC3 support")
 	    if (!$nsec3capable);
-          if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s+(.*?)$pat_skip$/gc) {
+          if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s*(.*?)$pat_skip$/gc) {
               # XXX: set the typebm field ourselves?
               my ($alg, $flags, $iters, $salt, $nxthash, $typelist) =
                 ($1, $2, $3, $4, $5, $6);
@@ -1335,7 +1335,7 @@ sub parse_tlsa
 sub parse_nsec3
   {
       #got more data
-      if ( /\G\s*((\w+\s+)+)\)\s*$/) {
+      if ( /\G\s*((\w+\s+)*)\)\s*$/) {
          my $typelist = $1;
 	 $typelist = join(" ",sort split(/\s+/,$typelist));
          $nsec3->{ 'typelist' } = $typelist;
	Modified   dnssec-tools/tools/modules/ZoneFile-Fast/t/rr-dnssec.t

Comment 14 Fedora Update System 2013-05-23 23:15:53 UTC

dnssec-tools-1.13-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.fc17

Comment 15 Fedora Update System 2013-05-23 23:16:31 UTC

dnssec-tools-1.13-12.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.el6

Comment 16 Fedora Update System 2013-05-23 23:19:43 UTC

dnssec-tools-1.14-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/dnssec-tools-1.14-6.fc18

Comment 17 Fedora Update System 2013-05-24 19:08:16 UTC

Package dnssec-tools-1.13-12.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-12.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5924/dnssec-tools-1.13-12.el6
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2013-06-04 21:01:54 UTC

dnssec-tools-1.14-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-06-04 21:04:13 UTC

dnssec-tools-1.13-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2013-06-10 17:01:50 UTC

dnssec-tools-1.13-12.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.