Bug#651245: dnssec-tools: NSEC checking is completely broken

Tue, 06 Dec 2011 15:51:22 -0800 

Package: dnssec-tools
Version: 1.11-1
Severity: normal
Tags: patch

The ordering function is broken in two ways.

  * Firstly, there's a typo: it compares two labels from the same name,
    rather than the two different names.

  * Secondly, there's a more subtle bug when one of the names is a
    prefix of the other: the index $i is then greater than the number of
    labels in the shorter name, and the quantity $#dnameN-$i is
    therefore -1 -- so Perl picks out the final label to compare.

The result of this is that the `nsec_check' feature reports a great many
spurious errors for perfectly valid zone files (and, presumably, would
be silent given a zone which was broken in exactly the right way).


--- /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt   2011-10-19 
08:46:09.000000000 +0100
+++ /tmp/mdw/donuts/nsec_check.rules.txt        2011-12-06 23:46:55.000000000 
+0000
@@ -78,10 +78,12 @@
        my $i = 0;
        while ($i <= $#dname1 &&
                $i <= $#dname2 &&
-              $dname1[$#dname1-$i] eq $dname1[$#dname2-$i]) {
+              $dname1[$#dname1-$i] eq $dname2[$#dname2-$i]) {
            $i++;
        }
 
+       $i > $#dname1 and return -1;
+       $i > $#dname2 and return +1;
 #      print "comparing: $dname1[$#dname1-$i] cmp $dname2[$#dname2-$i]\n";
 #      print "       $i: " . join(".",@dname1) . " and " . join(".",@dname2) . 
"\n";
        return $dname1[$#dname1-$i] cmp $dname2[$#dname2-$i]

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.39-2-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dnssec-tools depends on:
ii  bind9utils           1:9.7.3.dfsg-1+b1
ii  libmailtools-perl    2.08-1           
ii  libnet-dns-perl      0.66-2+b2        
ii  libnet-dns-sec-perl  0.16-2           
ii  libtimedate-perl     1.2000-1         
ii  perl                 5.14.2-5         

Versions of packages dnssec-tools recommends:
ii  bind9  1:9.7.3.dfsg-1+b1

dnssec-tools suggests no packages.

-- no debconf information

-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 1566 package 
'anag':
 missing architecture
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 29718 
package 'priv':
 missing architecture



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to