Sign zone escapes semicolon for RR 257 (CAA) and RR 256 (URI)
Dion Bosschieter
dionbosschieter at gmail.com
Wed May 10 10:01:57 UTC 2017
Hi,
Whenever I try to sign a zone (using dnssec-signzone) with a CAA
record in it that has a semicolon in the value part of the RDATA like
the following RDATA:
0 issue ";"
Bind escapes the semicolon so the signed zonefile wil have the
following RDATA for the same CAA record:
0 issue "\;"
Even though a semicolon should not be escaped when it is inside a
quoted string, like in the example (reference: <character-string>
https://tools.ietf.org/html/rfc1035#page-35).
<character-string> is expressed in one or two ways: as a contiguous set
of characters without interior spaces, or as a string beginning with a "
and ending with a ". Inside a " delimited string any character can
occur, except for a " itself, which must be quoted using \ (back slash).
I found out that this happens in the multitxt_totext function in file
rdata.c as it matches a semicolon and escapes it.
But this function always returns a quoted string, so the code should
actually not escape a semicolon. The function multitxt_totext is only
used in caa_257.c and uri_256.c.
I applied the following patch which solves the issue:
--- lib/dns/rdata.c.orig 2017-05-05 15:42:22.943088646 +0200
+++ lib/dns/rdata.c 2017-05-05 15:42:26.466428703 +0200
@@ -1577,8 +1577,8 @@
tl -= 4;
continue;
}
- /* double quote, semi-colon, backslash */
- if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
+ /* double quote, backslash */
+ if (*sp == 0x22 || *sp == 0x5c) {
if (tl < 2)
return (ISC_R_NOSPACE);
*tp++ = '\\';
I was wondering if I was correct in my assumption and if my patch is
indeed the right solution.
If this is indeed the right solution I hope this patch could be
applied upstream.
--
Have a great day,
Dion Bosschieter
dionbosschieter at gmail.com
More information about the bind-users
mailing list