Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trailing backslash results in non-FQDN targets #1528

Closed
janik-cloudflare opened this issue Jan 17, 2024 · 6 comments · Fixed by #1532
Closed

Trailing backslash results in non-FQDN targets #1528

janik-cloudflare opened this issue Jan 17, 2024 · 6 comments · Fixed by #1532

Comments

@janik-cloudflare
Copy link
Contributor

Calling NewRR(". 1 IN CNAME example.com") normally turns example.com into an FQDN, example.com., before storing it in the RR's Target variable.

However, NewRR(". 1 IN CNAME example.com\\") with a trailing backslash results in example.com\., which is not an FQDN since the last dot is escaped.

It seems to me like the parser should either add another dot in these cases, or (perhaps better) reject the trailing backslash with an error.

package main

import (
	"fmt"

	"github.com/miekg/dns"
)

func test(content string) {
	rr, err := dns.NewRR(content)
	if err != nil {
		panic(err)
	}

	target := rr.(*dns.CNAME).Target
	fmt.Printf("target %s is FQDN: %t\n", target, dns.IsFqdn(target))
}

func main() {
	test(`. 1 IN CNAME example.com`)
	test(`. 1 IN CNAME example.com\`)
}

$ go run ./...
target example.com. is FQDN: true
target example.com\. is FQDN: false

This may be related to #1384.
@miekg
Copy link
Owner

miekg commented Jan 18, 2024

but \\ is legal, no?
There is def. a problem here, but if we are going to reject \\ there is bound to be more stuff that will be deemed illegal in the future.
Is blindly Fqdn-ing the real problem here? Or is doing Fqdn in the first place the actual, actual problem?

@janik-cloudflare
Copy link
Contributor Author

An even number of slashes definitely seems legal.

Digging a bit, it looks like CNAME.parse() receives an example.com\ token. Maybe (*zlexer).Next() should return an error when escape is still true when returning? I need to look more into how (and if) this would work.

FQDN-ing seems fine to me since CNAME.parse() calls toAbsoluteName based on the provided origin, right?

@miekg
Copy link
Owner

miekg commented Jan 19, 2024 via email

@gibson042
Copy link
Collaborator

It's not a corner case in the RFC; CNAME RDATA format is just a <domain-name> and per RFC 1035 section 5.1:

The labels in the domain name are expressed as character strings and
separated by dots. Quoting conventions allow arbitrary characters to be
stored in domain names. Domain names that end in a dot are called
absolute, and are taken as complete. Domain names which do not end in a
dot are called relative; the actual domain name is the concatenation of
the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
an argument to the master file loading routine. A relative name is an error when no origin is available.

(where «<character-string> is expressed in one or two ways: as a contiguous set of characters without interior spaces, or as a string beginning with a " and ending with a "… [and] \X where X is any character other than a digit (0-9), is used to quote that character so that its special meaning does not apply»)

So in a zone file, . 1 IN CNAME example.com\ is simply invalid while . 1 IN CNAME example.com and . 1 IN CNAME example.com\\ are both valid, and the target domain name for each is relative to the current origin. NewRR promoting relative domain names in isolated RRs to be root-relative is a design decision, and should be (and AFAIK, is) applied universally—to have those example records respectively target "example.com." (i.e., a domain name in which the first label is "example", the second label is "com", and the third and final label is the DNS root label) and "example.com\092." or equivalently "example.com\\." (i.e., a domain name in which the first label is "example", the second label is the four ASCII characters "com\", and the third and final label is the DNS root label).

@miekg
Copy link
Owner

miekg commented Jan 20, 2024

ack

So in a zone file, . 1 IN CNAME example.com\ is simply invalid while . 1 IN CNAME example.com and . 1 IN CNAME example.com\ are both valid

you agree with returning an error from the parser is escape == true then too?

@gibson042
Copy link
Collaborator

Yes, I think NewRR(". 1 IN CNAME example.com\\") or any other attempt to parse an incomplete escape should return an error. 👍

miekg added a commit that referenced this issue Jan 21, 2024
@miekg
IsDomainName: check for escape as last character
04233ed 
Keep track if the escape, if still true when returning isDomainName
should return false.

TODO:
- Should still be done in packDomainName as well.
- And that should be tested
- Some tests now fail

There are multiple other places that supposedly also check for this, but
they are not called in the parsing.

Fixes: #1528

Signed-off-by: Miek Gieben <miek@miek.nl>
@miekg miekg mentioned this issue Jan 21, 2024
Merged
miekg added a commit that referenced this issue Feb 15, 2024
@miekg
IsDomainName: check for escape as last character (#1532)
2230854 
Keep track if the escape, if still true when returning isDomainName
should return false.

TODO:
- Should still be done in packDomainName as well.
- And that should be tested
- Some tests now fail

There are multiple other places that supposedly also check for this, but
they are not called in the parsing.

Fixes: #1528

Signed-off-by: Miek Gieben <miek@miek.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

IsDomainName: check for escape as last character miekg/dns
3 participants
@miekg @gibson042 @janik-cloudflare