Bug 922413 - rollerd parsing of signed zonefile fails
Summary: rollerd parsing of signed zonefile fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-tools
Version: 18
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Wes Hardaker
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-16 18:27 UTC by Glen Eustace
Modified: 2013-06-10 17:01 UTC (History)
1 user (show)

Fixed In Version: dnssec-tools-1.13-12.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1056277 (view as bug list)
Environment:
Last Closed: 2013-06-04 21:01:54 UTC
Type: Bug


Attachments (Terms of Use)
My solution (4.32 KB, patch)
2013-03-16 18:29 UTC, Glen Eustace
no flags Details | Diff
2nd attempt at a solution. (4.95 KB, patch)
2013-03-16 23:44 UTC, Glen Eustace
no flags Details | Diff

Description Glen Eustace 2013-03-16 18:27:51 UTC
Description of problem:

dnssec-signzone is now generating multi-line NSEC3 records.  These records are not supported by the DNS::Zonefile::Fast.pm module and hence rollerd aborts.

Version-Release number of selected component (if applicable):

bind 9.9.2-8-P1, dnssec-tools-1.14-2, dnssec-tools-perlmods-1.14-2

How reproducible:

Consistent failure.

Comment 1 Glen Eustace 2013-03-16 18:29:49 UTC
Created attachment 711147 [details]
My solution

Comment 2 Glen Eustace 2013-03-16 21:03:08 UTC
My attached patch only supports the new multi-line NSEC3 so parsing of files with single line NSEC3s would now fail.  I needed this in a hurry, my DNSSec implementation being snarfu'ed.  A more generic solution is probably worth considering.

Comment 3 Glen Eustace 2013-03-16 23:44:01 UTC
Created attachment 711239 [details]
2nd attempt at a solution.

Hopefully this patch will work for both single and multi-line NSEC3 records.

Comment 4 Fedora Update System 2013-04-18 20:32:20 UTC
dnssec-tools-1.13-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.fc17

Comment 5 Fedora Update System 2013-04-18 20:33:33 UTC
dnssec-tools-1.14-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/dnssec-tools-1.14-5.fc18

Comment 6 Fedora Update System 2013-04-18 20:34:18 UTC
dnssec-tools-1.13-11.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.el6

Comment 7 Fedora Update System 2013-04-19 17:05:45 UTC
Package dnssec-tools-1.13-11.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-11.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5497/dnssec-tools-1.13-11.el6
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-05-01 03:26:58 UTC
dnssec-tools-1.14-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-05-01 03:35:31 UTC
dnssec-tools-1.13-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Glen Eustace 2013-05-08 04:49:23 UTC
Seems that I need a patch to my patch.  One can get NSEC3 records with no TYPEs.

--- Fast.pm.orig        2013-05-08 16:40:14.783668525 +1200
+++ Fast.pm     2013-05-08 16:41:22.269388066 +1200
@@ -1248,7 +1248,7 @@
 sub parse_nsec3
   {
       #got more data
-      if ( /\G\s*((\w+\s+)+)\)\s*$/) {
+      if ( /\G\s*((\w+\s+)*)\)\s*$/) {
          my $typelist = $1;
         $typelist = join(" ",sort split(/\s+/,$typelist));
          $nsec3->{ 'typelist' } = $typelist;

Comment 11 Wes Hardaker 2013-05-14 13:43:00 UTC
Do you have an example record that it is supposed to match?

Comment 12 Glen Eustace 2013-05-14 18:43:34 UTC
I am now seeing two different NSEC3 resources being generated both with and without the list of RRs.

...
...
JDLSSS5SH3E8G6G5OGJ8N58ICPUI0DED.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 (
                                        JOC9G7NN6R36LNBTAONOINAJD1B5TB3A
                                         )
...
...
UK3BPPAJR8JPTGCM8RN0A65IR0MIHU4O.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 (
                                        4FN8MTCORO6CI3IOOGVCBTI777PNJ5O9

                                        CNAME RRSIG )
...
...

Comment 13 Wes Hardaker 2013-05-23 20:43:49 UTC
Here's the full entered patch, FYI.  I added a test suite for the problem too, and made it deal with single line NSEC3 records without a type field as well.

diff --git a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
index 0c931a2..d2b8dd8 100644
--- a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
+++ b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm
@@ -983,7 +983,7 @@ sub parse_line
       } elsif (/\G(nsec3)[ \t]+/igc) {
 	  error ("You are missing required modules for NSEC3 support")
 	    if (!$nsec3capable);
-          if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s+(.*?)$pat_skip$/gc) {
+          if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s*(.*?)$pat_skip$/gc) {
               # XXX: set the typebm field ourselves?
               my ($alg, $flags, $iters, $salt, $nxthash, $typelist) =
                 ($1, $2, $3, $4, $5, $6);
@@ -1335,7 +1335,7 @@ sub parse_tlsa
 sub parse_nsec3
   {
       #got more data
-      if ( /\G\s*((\w+\s+)+)\)\s*$/) {
+      if ( /\G\s*((\w+\s+)*)\)\s*$/) {
          my $typelist = $1;
 	 $typelist = join(" ",sort split(/\s+/,$typelist));
          $nsec3->{ 'typelist' } = $typelist;
	Modified   dnssec-tools/tools/modules/ZoneFile-Fast/t/rr-dnssec.t

Comment 14 Fedora Update System 2013-05-23 23:15:53 UTC
dnssec-tools-1.13-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.fc17

Comment 15 Fedora Update System 2013-05-23 23:16:31 UTC
dnssec-tools-1.13-12.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.el6

Comment 16 Fedora Update System 2013-05-23 23:19:43 UTC
dnssec-tools-1.14-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/dnssec-tools-1.14-6.fc18

Comment 17 Fedora Update System 2013-05-24 19:08:16 UTC
Package dnssec-tools-1.13-12.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-12.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5924/dnssec-tools-1.13-12.el6
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2013-06-04 21:01:54 UTC
dnssec-tools-1.14-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-06-04 21:04:13 UTC
dnssec-tools-1.13-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2013-06-10 17:01:50 UTC
dnssec-tools-1.13-12.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.