[rbldnsd] Option -d (Bind dump) and wildcards: a small problem

furio ercolessi furio at spin.it
Sun Oct 10 14:16:32 MSD 2004 

Small problem with -d dumps.

Let us consider the following (real) case, from SBL.
SBL contains the following records related with 222.65.0.0/16:

222.65.0.0/16 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19307
222.65.20.170/32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19565
222.65.21.49/32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18214
222.65.100.93/32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18223
222.65.103.43/32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19533
222.65.107.145/32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17186

If we generate the Bind zone with -d, we get:

170.20.65.222   A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19565"
49.21.65.222    A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18214"
93.100.65.222   A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18223"
43.103.65.222   A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19533"
145.107.65.222  A       127.0.0.2
       TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17186"
*.65.222        A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19307"

Now, this generates a difference in behavior between rbldnsd and Bind
when one queries an IP which is located in one of the five /24's
containing a /32 record, for instance 222.65.20.0 : rbldnsd lists it
because it matches the wildcard, but Bind - when fed with the
rbldnsd-generated zone - does not.

The Bind behavior is conforming to RFC1034, section 4.3.3:

	Wildcard RRs do not apply:
	[...]
	- When the query name or a name between the wildcard domain and
	  the query name is know to exist.  For example, if a wildcard
	  RR has an owner name of "*.X", and the zone also contains RRs
	  attached to B.X, the wildcards would apply to queries for name
	  Z.X (presuming there is no explicit information for Z.X), but
	  not to B.X, A.B.X, or X.

So, the presence of 170.20.65.222.sbl.spamhaus.org  (B="20",
X="65.222.sbl.spamhaus.org") kills the wildcard effect for, say,
0.20.65.222.sbl.spamhaus.org.

The outcome of this is that rbldnsd should in this case also generate
additional records like
*.20.65.222   A       127.0.0.2
        TXT     "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19307"
to restore the wildcard coming from the /16 for the /24's.

Curiously, Bind 9 was buggy and did not conform to the RFC until
9.2.2 included, so these old Bind 9 servers behave like rbldnsd with the
above zone.  The bug was fixed in 9.2.3 ; from the CHANGES file"
"1411.  [bug] empty nodes should stop wildcard matches. [RT #4802]".

furio

More information about the rbldnsd mailing list