Bug 209177 - Update usr/bin/host to the latest upstream version to fix IXFR/AXFR handling
Summary: Update usr/bin/host to the latest upstream version to fix IXFR/AXFR handling
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Dag-Erling Smørgrav
Depends on:
Reported: 2016-05-01 10:50 UTC by Vitaly Magerya
Modified: 2020-03-07 22:19 UTC (History)
3 users (show)

See Also:
ngie: mfc-stable10?

ldns-host-0289cde234a0.diff (14.31 KB, patch)
2016-05-01 10:50 UTC, Vitaly Magerya
no flags Details | Diff
ldns-host-06347b1f76fe.diff (3.03 KB, patch)
2016-06-10 15:30 UTC, Vitaly Magerya
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vitaly Magerya 2016-05-01 10:50:57 UTC
Created attachment 169845 [details]

Current usr/bin/host (coming from contrib/ldns-host and [1]) has two problems with zone transfers:

1) IXFR queries are badly formed; for example:

    $ host -t ixfr x
    Using domain server:

    Host x not found: 1(FORMERR)

This FORMERR comes from the fact that 'host' adds two (instead of one) SOA records to it's IXFR query packets; this started happening after contrib/ldns updated to 1.6.17 due to changes in ldns (I can't tell you precisely which FreeBSD versions ship with ldns 1.6.17 though).

2) Both AXFR and IXFR queries do not support multi-packets responses: 'host' only print the first response packet. In practice this means any zone transfer with zone sizes above 64kb will be silently truncated. While this problem is documented in the man page, it's still unpleasant and I received reports from people burned by it (they had to fix it by installing dns/bind-tools to revert to the old 'host').

The latest upstream version of ldns-host [2] has both these problems fixed, and I'm attaching a patch to update contrib/ldns-host to that. Ideally it should be eventually imported into both current and stable branches.

[1] https://tx97.net/ldns-host/
[1] https://hg.tx97.net/ldns-host/file/0289cde234a0
Comment 1 Enji Cooper freebsd_committer 2016-06-09 14:31:33 UTC
Taking bug for validation/port, as noted on hackers@.
Comment 2 commit-hook freebsd_committer 2016-06-09 20:40:56 UTC
A commit references this bug:

Author: des
Date: Thu Jun  9 20:40:12 UTC 2016
New revision: 301759
URL: https://svnweb.freebsd.org/changeset/base/301759

  Update to latest upstream version

  PR:		209177
  Reported by:	Vitaly Magerya
  MFC after:	1 week

_U  head/contrib/ldns-host/
Comment 3 Enji Cooper freebsd_committer 2016-06-09 20:42:18 UTC
des@ did the commit. Reassigning :).
Comment 4 Dag-Erling Smørgrav freebsd_committer 2016-06-09 21:28:18 UTC
Note that I still get FORMERR with your test case:

 % host -t ixfr x localhost 
 Using domain server:
 Name: localhost
 Host x not found: 1(FORMERR)
 ; Transfer failed.

(I expected NXDOMAIN)
Comment 5 Vitaly Magerya 2016-06-09 22:57:44 UTC
I'm not sure where that particular FORMERR comes from (what are
you running on your localhost?). An easy way to test the IXFR
changes would be this:

    host -t ixfr zonetransfer.me nsztm1.digi.ninja

The previous version showed FORMERR, the current one should show
a list of records.

(An alternative test method is to set up your own authoritative
server, which is what I alluded to with "host -t ixfr x localhost",
but that's less convenient given the existence of nsztm1.digi.ninja).

* * *

I just discovered an unfixed problem with ixfr queries in the
new code, namely:

    $ host -t ixfr=2014101603 zonetransfer.me nsztm1.digi.ninja                                               
    Using domain server:
    Name: nsztm1.digi.ninja

    zonetransfer.me has SOA record nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
    ; Transfer failed.

Instead of "Transfer failed", host should recognize that this
response indicates "no new records since 2014101603". I don't
know why I didn't test this case until now.
Comment 6 Dag-Erling Smørgrav freebsd_committer 2016-06-09 23:09:09 UTC
Previous version on 10.3-p3:

% host -t ixfr zonetransfer.me nsztm1.digi.ninja
Using domain server:
Name: nsztm1.digi.ninja

Host zonetransfer.me not found: 9(NOTAUTH)
Comment 7 Vitaly Magerya 2016-06-10 08:57:09 UTC
Strange. I see a FORMERR on 10.1-RELEASE-p26 amd64, 11.0-CURRENT
i386 (built on 2015-01-11), and 10.3-RELEASE i386. Do you have a
DNS-redirecting firewall somewhere in your network maybe?

Whatever the case with the old one, the new one should work. Does it?
Comment 8 Dag-Erling Smørgrav freebsd_committer 2016-06-10 10:13:07 UTC
The new one (what's currently in 11.0) works as you described.  There is nothing on my network that intercepts DNS traffic; I have FTTH and my own router.
Comment 9 Vitaly Magerya 2016-06-10 15:30:43 UTC
Created attachment 171271 [details]

Hm. I'm out of ideas then. I guess the important part is that
the new version works, while the old one didn't.

* * *

While we're at it, would you commit an update to [1], which
fixes the problem from comment 5, or should I submit it separately?

[1] http://hg.tx97.net/ldns-host/rev/06347b1f76fe
Comment 10 commit-hook freebsd_committer 2016-07-13 18:27:01 UTC
A commit references this bug:

Author: des
Date: Wed Jul 13 18:26:05 UTC 2016
New revision: 302779
URL: https://svnweb.freebsd.org/changeset/base/302779

  merge upstream hg 06347b1f76fe (fix IXFR)

  PR:		209177
  MFC after:	3 days

_U  head/contrib/ldns-host/
Comment 11 commit-hook freebsd_committer 2016-07-14 06:10:51 UTC
A commit references this bug:

Author: ngie
Date: Thu Jul 14 06:10:16 UTC 2016
New revision: 302807
URL: https://svnweb.freebsd.org/changeset/base/302807

  Initialize first_serial to 0 in dozonetransfer(..) to fix -Wuninitialized

  MFC after: 3 days
  X-MFC with: r302779
  Pointyhat to: des
  PR: 209177
  Reported by: Jenkins (sparc64 job), gcc 4.2.1, gcc 5.3.0
  Sponsored by: EMC / Isilon Storage Division

Comment 12 commit-hook freebsd_committer 2018-03-07 11:03:13 UTC
A commit references this bug:

Author: eadler
Date: Wed Mar  7 11:03:01 UTC 2018
New revision: 330577
URL: https://svnweb.freebsd.org/changeset/base/330577

  MFC r302779,r302807:

  merge upstream hg 06347b1f76fe (fix IXFR)

  Initialize first_serial to 0 in dozonetransfer(..) to fix -Wuninitialized

  PR:	209177

_U  stable/11/
Comment 13 Oleksandr Tymoshenko freebsd_committer freebsd_triage 2019-01-21 18:48:56 UTC
There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved.

Comment 14 commit-hook freebsd_committer 2020-03-07 22:19:28 UTC
A commit references this bug:

Author: rigoletto
Date: Sat Mar  7 22:18:28 UTC 2020
New revision: 527985
URL: https://svnweb.freebsd.org/changeset/ports/527985

  net/nxproxy: Update to

  PR:		209177
  Submitted by:	Michael Muenz <m.muenz@gmail.com>
  Approved by:	tcberner (mentor, implicit)