Bug #95034 for Net-DNS-SEC: Net::DNS::SEC incorrectly decodes (from text) an NSEC3PARAM record with null salt

Fri Apr 25 05:34:45 2014 Anthony.Kirby [...] nominet.org.uk - Ticket created

Subject:	Net::DNS::SEC incorrectly decodes (from text) an NSEC3PARAM record with null salt
Date:	Fri, 25 Apr 2014 09:34:33 +0000
To:	"bug-Net-DNS-SEC [...] rt.cpan.org" <bug-Net-DNS-SEC [...] rt.cpan.org>
From:	Anthony Kirby <Anthony.Kirby [...] nominet.org.uk>

I believe I've found a bug in Net::DNS::SEC's handling of NSEC3PARAM records which have null salt. When initialised from text, the null salt (which is specified as "-" in text format) gets (un)packed to saltbin as if it were valid hex, which produces a non-null & hence bogus salt when serialised to wire format. (I imagine that if some versions of Perl have a pickier implementation of pack(), new_from_text might instead just fail & return an undef instead) The fix is to check for the text "-" and infer null salt. I've attached a patch for NSEC3PARAM.pm & an updated test 12-nsec++.t which reproduces the issue. Environment: Net::DNS 0.74 Net::DNS::SEC 0.17 Perl 5.10.1 Linux - RHEL 6, Ubuntu 10.4 many thanks Anthony

Message body is not shown because sender requested not to inline it.

Sat Apr 26 08:21:38 2014 rwfranks [...] acm.org - Correspondence added

From:

rwfranks [...] acm.org

On Fri Apr 25 05:34:45 2014, Anthony.Kirby@nominet.org.uk wrote: Show quoted text

> I believe I've found a bug in Net::DNS::SEC's handling of NSEC3PARAM > records which have null salt.

Thanks, this will be fixed in 0.18 Note that the "-" placeholder only appears in the output from $nsec3param->string() and $nsec3param->print(). $nsec3param->salt() should return (and accept) a null string.

Sat Apr 26 08:21:39 2014 The RT System itself - Status changed from 'new' to 'open'

Mon Apr 28 04:55:38 2014 Anthony.Kirby [...] nominet.org.uk - Correspondence added

Subject:	RE: [rt.cpan.org #95034] Net::DNS::SEC incorrectly decodes (from text) an NSEC3PARAM record with null salt
Date:	Mon, 28 Apr 2014 08:55:21 +0000
To:	"'bug-Net-DNS-SEC [...] rt.cpan.org'" <bug-Net-DNS-SEC [...] rt.cpan.org>
From:	Anthony Kirby <Anthony.Kirby [...] nominet.org.uk>

Show quoted text

> Thanks, this will be fixed in 0.18

Marvellous - thank you! Show quoted text

> Note that the "-" placeholder only appears in the output from > $nsec3param->string() and $nsec3param->print(). > > $nsec3param->salt() should return (and accept) a null string.

True. Although In my use case, creating a dynamic update (Net::DNS::Update), the input is via new_from_text & I couldn't see a non-hacky alternative. Since I opened this, I see that 0.18 looks like a rewrite, so maybe the patch has little value; hopefully the test is still useful. While I think of it, when looking at the (old) source it looked like there was a an issue with calculation of saltbin; if $nsec3param->salt() was changed, saltbin wouldn't always be recalculated. I guess there's no point worrying about that now, but When you've got pre-release code for 0.18 I'm happy to have a look at it. Or would it be more helpful if I submit a ticket with tests that reproduce it? thanks Anthony

Wed Apr 30 10:43:53 2014 NLNETLABS [...] cpan.org - Correspondence added

On Mon 28 Apr 2014 04:55:38, Anthony.Kirby@nominet.org.uk wrote: Show quoted text

> While I think of it, when looking at the (old) source it looked like > there was a an issue with calculation of saltbin; if $nsec3param-

> >salt() was changed, saltbin wouldn't always be recalculated. I guess

> there's no point worrying about that now, but When you've got pre- > release code for 0.18 I'm happy to have a look at it.

Thank you Anthony, We do have a pre release now: http://www.net-dns.org/download/Net-DNS-SEC-0.17_5.tar.gz . We would very much appreciate if you would have a look and report back on any issues. I'll close this ticket now as the original issue is resolved. Regards, -- Willem

Wed Apr 30 10:43:54 2014 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'