Re: BIND started replying to queries for .com with .COM
On 01/04/16 11:52, Niall O'Reilly wrote: If you are going to pick a single authority for a particular label, it should be the zone that determines whether that label exists or not. That seems no less arbitrary a rule of thumb than one which would give priority to the zone which contains the authoritative NS records. In a normal recursive resolution of www.example.com, it's worth noting that only the root servers actually return "com.", in the authority section of the referral. The .com servers return "example.com." What should happen if the following query sequence happens: www.example.COM -> root => com.NS a.gtld-servers.net www.example.COM -> TLD => example.COM NS ns.example.COM Who is right here? The root with ".com" or the TLD with ".COM" as part of a longer label? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 1 Apr 2016, at 11:08, Tony Finch wrote: > Robert Edmonds wrote: >> Tony Finch wrote: >>> Phil Mayers wrote: What is considered the source of the ownername for, say, "com."? >>> >>> It should be the root zone master file. >> >> Why not the com zone master file? > > If you are going to pick a single authority for a particular label, it > should be the zone that determines whether that label exists or not. That seems no less arbitrary a rule of thumb than one which would give priority to the zone which contains the authoritative NS records. 8-) /Niall ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Robert Edmonds wrote: > Tony Finch wrote: > > Phil Mayers wrote: > > > > > > What is considered the source of the ownername for, say, "com."? > > > > It should be the root zone master file. > > Why not the com zone master file? If you are going to pick a single authority for a particular label, it should be the zone that determines whether that label exists or not. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Fair Isle, Faeroes: South or southeast 5 to 7, occasionally gale 8, veering southwest 5 or 6 later. Rough or very rough. Rain then showers. Moderate or poor, becoming mainly good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Hi Mike, When BIND first introduced this Case-Insensitive Response Compression (See https://kb.isc.org/article/AA-01113) I found out that BIND zone_name case sensitivity in a zone statement is preferred over name case sensitivity in the zone itself. So, you can get a google.COM answer because the zone statement at the authoritative com name server you were talking to is "COM.". Daniel On 30.03.16 23:21, Mike Bernhardt wrote: > I think you misunderstood me. I was getting back google.COM even when I > queried the server using nslookup from a command prompt on my Windows > desktop. The probe was failing because it is case-sensitive, but that was > the symptom, not the problem. > > For example: >> google.com > Server: athena.bart.gov > Address: 148.165.30.30 > > Non-authoritative answer: > Name:google.COM > Addresses: 2607:f8b0:4005:801::200e > 172.217.3.46 > > Given that the problem cleared after restarting BIND on its CentOS host, I'd > say the problem was BIND. > > -Original Message- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Tuesday, March 29, 2016 5:19 PM > To: Mike Bernhardt > Cc: bind-us...@isc.org > Subject: Re: BIND started replying to queries for .com with .COM > > > Your monitoring probe is broken. > > STD 13 says that that the DNS is case preserving. The problem is that lots > of servers aren't case preserving instead they echo back the query case in > the owner names of records returned which named then records. > > In message <030101d18a06$fa21c8d0$ee655a70$@bart.gov>, "Mike Bernhardt" > writes: >> I rebooted one of our BIND VMs this morning. It's running BIND >> 9.10.3-P3. We noticed that queries for domains with domain.com were >> answered with domain.COM with the .COM in capital letters. Other >> high-levels like .org were not changed. It caused a monitoring probe >> to complain because it wasn't getting back what it asked for. >> >> Restarting bind on this server fixed the problem. Any ideas on what >> happened, or where to look? >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Tony Finch wrote: > Phil Mayers wrote: > > > > What is considered the source of the ownername for, say, "com."? > > It should be the root zone master file. Why not the com zone master file? -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND started replying to queries for .com with .COM
I think you misunderstood me. I was getting back google.COM even when I queried the server using nslookup from a command prompt on my Windows desktop. The probe was failing because it is case-sensitive, but that was the symptom, not the problem. For example: > google.com Server: athena.bart.gov Address: 148.165.30.30 Non-authoritative answer: Name:google.COM Addresses: 2607:f8b0:4005:801::200e 172.217.3.46 Given that the problem cleared after restarting BIND on its CentOS host, I'd say the problem was BIND. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, March 29, 2016 5:19 PM To: Mike Bernhardt Cc: bind-us...@isc.org Subject: Re: BIND started replying to queries for .com with .COM Your monitoring probe is broken. STD 13 says that that the DNS is case preserving. The problem is that lots of servers aren't case preserving instead they echo back the query case in the owner names of records returned which named then records. In message <030101d18a06$fa21c8d0$ee655a70$@bart.gov>, "Mike Bernhardt" writes: > I rebooted one of our BIND VMs this morning. It's running BIND > 9.10.3-P3. We noticed that queries for domains with domain.com were > answered with domain.COM with the .COM in capital letters. Other > high-levels like .org were not changed. It caused a monitoring probe > to complain because it wasn't getting back what it asked for. > > Restarting bind on this server fixed the problem. Any ideas on what > happened, or where to look? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/2016 13:15, Tony Finch wrote: Phil Mayers wrote: On 30/03/16 10:50, Tony Finch wrote: Yes, we encountered that problem recently :-) You can revert to the old behaviour using no-case-compress { any; }; +1 super confusing when we first ran into it (Exim dnslookup.c, by any chance? ;o) Actually Nagios, and it sounds like Mike Bernhardt encountered it there as well. I'm now wondering why we haven't noticed a problem with Exim... You'll only see it if the resolver your Exim process is using has an "unexpected" case version of a label cached (unlikely in normal operation) and you look for it in your logs. We were seeing things like "=> b...@google.com" one one Exim node, and the lower-case on another, and the difference was in the resolver cache, not what the client sent. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/2016 13:32, Mark Andrews wrote: That said anything matching ownernames should be doing this case insensitively. Absolutely. In our case it was something a little more subtle - the app (Exim) was actually looking for case-changed replies and altering its input to match, which under certain conditions causes very peculiar looking things to happen (recipient email addresses change case in logs, for example) I'm moderately curious whether there are cases (pardon the pun) where case-mutation of a CNAME RHS might, for example, cause a Kerberos ticket request to fail or similar - so not strict "comparison" situations, but things which are more response-content aware. Given what Tony Finch just noted about the root, I don't suppose you'd care to comment on those behaviours ;o) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/2016 13:23, Tony Finch wrote: Phil Mayers wrote: What is considered the source of the ownername for, say, "com."? It should be the root zone master file. Doh, of course - brainfade, it should be the root. I am mildly surprised that the root and TLD/2LD servers aren't doing the right thing here. It does make the impact of crazy case-sensitive downstream apps, combined with an "odd" cold-cache priming query, a bit more visible :o/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
In message <56fbbe83.6080...@imperial.ac.uk>, Phil Mayers writes: > On 30/03/2016 12:25, Mark Andrews wrote: > > > The recent change was to record and return the learnt case of > > ownernames (to the RRset level) rather than use whatever was used > > to build the red-black tree names. > > What is considered the source of the ownername for, say, "com."? One > thing I saw when I was trying to understand this was the results of the > following queries to a cold-cache bind process: > > dig @localhost www.microsoft.CoM > dig @localhost www.google.com > dig @localhost www.google.com > > I was surprised that #2 and #3 auth/add sections contain the .CoM label > presumably built from #1, and also that #2 and #3 answer sections differ. > > None of this is a problem, but I am curious and I couldn't figure it out > from the code! Sorry, I forgot, the recording of ownercase is in 9.11 (required new db method which is why it wasn't back ported). 9.10 still uses the rbt case. This preserves the in zone labels assuming the authoritative server preserves the learnt case. I've been using 9.11.0pre-alpha for too long. This has advantages (I discover bugs in new code first) and disadvantages (you aren't running exactly what everyone else is and occassionaly you forget that a feature isn't yet available). I think the advantages outweigh the disadvantages most of the time. That said anything matching ownernames should be doing this case insensitively. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Phil Mayers wrote: > > What is considered the source of the ownername for, say, "com."? It should be the root zone master file. However authoritative server implementations differ in whether they echo the query case or preserve the master case. e.g. a.root-servers.net (running Verisign ATLAS) echoes case, f.root-servers.net (running BIND) preserves case. k.root-servers.net is amusing because it runs a load balancer in front of BIND, Knot, and NSD; Knot and NSD echo case, so K-root's case handling behaviour is unpredictable. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Southeast Iceland: Cyclonic, mainly easterly at first in west, 5 to 7, increasing gale 8 at times in west. Moderate or rough. Snow showers. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Phil Mayers wrote: > On 30/03/16 10:50, Tony Finch wrote: > > > > Yes, we encountered that problem recently :-) You can revert to the old > > behaviour using > > > > no-case-compress { any; }; > > +1 super confusing when we first ran into it (Exim dnslookup.c, by any > chance? ;o) Actually Nagios, and it sounds like Mike Bernhardt encountered it there as well. I'm now wondering why we haven't noticed a problem with Exim... Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Biscay, Southeast Fitzroy: Cyclonic becoming northerly or northwesterly, 5 to 7, occasionally gale 8 at first in southeast Fitzroy. Rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/2016 12:25, Mark Andrews wrote: The recent change was to record and return the learnt case of ownernames (to the RRset level) rather than use whatever was used to build the red-black tree names. What is considered the source of the ownername for, say, "com."? One thing I saw when I was trying to understand this was the results of the following queries to a cold-cache bind process: dig @localhost www.microsoft.CoM dig @localhost www.google.com dig @localhost www.google.com I was surprised that #2 and #3 auth/add sections contain the .CoM label presumably built from #1, and also that #2 and #3 answer sections differ. None of this is a problem, but I am curious and I couldn't figure it out from the code! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
In message <56fbb385.5070...@imperial.ac.uk>, Phil Mayers writes: > On 30/03/16 01:19, Mark Andrews wrote: > > > > Your monitoring probe is broken. > > > > STD 13 says that that the DNS is case preserving. The problem is > > that lots of servers aren't case preserving instead they echo back > > the query case in the owner names of records returned which named > > then records. > > Can I be clear on what you think would be the correct behaviour here? > > Presumably the question section should exactly match what the client > sent always, bit-for-bit, so we're talking about the ans/auth/add > sections - they should, in your reading of the standards, match the case > of the on-disk authoritative data, not what the client sent, yes? Yes. > Am I correct in assuming that, by case-sensitively compressing labels > for many years, bind has been doing the opposite (the label compression > effectively throwing away the carefully case-preserved data)? It was doing case insensitive compression. It now does case sensitive compression. The rdata was fixed long ago when we went from 1 record per message in a zone transfer to many records as that resulted in rdata having different case than what was entered. AXFR/IXFR have been using case sensitive compression for over a decade now. The recent change was to record and return the learnt case of ownernames (to the RRset level) rather than use whatever was used to build the red-black tree names. Mark > I'm curious why this has come to the fore now, if you're able to say? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/16 01:19, Mark Andrews wrote: Your monitoring probe is broken. STD 13 says that that the DNS is case preserving. The problem is that lots of servers aren't case preserving instead they echo back the query case in the owner names of records returned which named then records. Can I be clear on what you think would be the correct behaviour here? Presumably the question section should exactly match what the client sent always, bit-for-bit, so we're talking about the ans/auth/add sections - they should, in your reading of the standards, match the case of the on-disk authoritative data, not what the client sent, yes? Am I correct in assuming that, by case-sensitively compressing labels for many years, bind has been doing the opposite (the label compression effectively throwing away the carefully case-preserved data)? I'm curious why this has come to the fore now, if you're able to say? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
On 30/03/16 10:50, Tony Finch wrote: Yes, we encountered that problem recently :-) You can revert to the old behaviour using no-case-compress { any; }; +1 super confusing when we first ran into it (Exim dnslookup.c, by any chance? ;o) In detail, since I spent ages figuring this out: Previously, bind would compress DNS labels in a reply case-insensitively. Bind *also* forces the case of the "question" section to be *exactly* the same as that sent by the client. This means that, previously, anything in the ans/auth/add sections of a reply matching the query name or any suffix of it would effectively be forced to the case of the matching part of the query name i.e. what the client sent, not what the cache contains. With the new case-sensitive compression, bind won't consider "example.com" and "example.COM" the same, so they won't be label-compressed and the mixed-case value starts appearing in replies (again to emphasise, only the ans/auth/add section - qname will match the client value exactly). Standards aside, it's damn confusing to see ans/auth/add sections in a dig reply with crazy mixed case, triggered by some completely random previous client. I will have to rewrite that bit of my brain :o) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Mike Bernhardt wrote: > I rebooted one of our BIND VMs this morning. It's running BIND 9.10.3-P3. We > noticed that queries for domains with domain.com were answered with > domain.COM with the .COM in capital letters. Other high-levels like .org > were not changed. It caused a monitoring probe to complain because it wasn't > getting back what it asked for. Yes, we encountered that problem recently :-) You can revert to the old behaviour using no-case-compress { any; }; Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Viking: Southeasterly 4 veering northwesterly 5 to 7, perhaps gale 8 later in north. Moderate or rough. Wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started replying to queries for .com with .COM
Your monitoring probe is broken. STD 13 says that that the DNS is case preserving. The problem is that lots of servers aren't case preserving instead they echo back the query case in the owner names of records returned which named then records. In message <030101d18a06$fa21c8d0$ee655a70$@bart.gov>, "Mike Bernhardt" writes: > I rebooted one of our BIND VMs this morning. It's running BIND 9.10.3-P3. We > noticed that queries for domains with domain.com were answered with > domain.COM with the .COM in capital letters. Other high-levels like .org > were not changed. It caused a monitoring probe to complain because it wasn't > getting back what it asked for. > > Restarting bind on this server fixed the problem. Any ideas on what > happened, or where to look? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users