Bug 13781 - samba DC, internal dns backend, return NXDOMAIN for empty nonterminals
Summary: samba DC, internal dns backend, return NXDOMAIN for empty nonterminals
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.9.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-08 20:40 UTC by Mathieu Parent
Modified: 2019-02-08 20:50 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Parent 2019-02-08 20:40:12 UTC
samba domain controller with internal dns backend returns NXDOMAIN for empty nonterminals.
This breaks resolvers with qname minimisation (RFC 7816) enabled (such as unbound) because they will not attempt to resolve label below such domain name.

Example:

_kerberos._tcp.realm.name SRV

The resolver will send _tcp.realm.name, get back NXDOMAIN, and will not attempt to resolve the _kerberos._tcp.realm.name domain name. Turning off qname minimisation will resolve this issue but is only a workaround.

RFC 2136 seems to specify that empty nonterminals should return NOERROR and that's what the resolvers expect.

Originaly reported in Debian: https://bugs.debian.org/920755 by Martin Kraus
Comment 1 Mathieu Parent 2019-02-08 20:50:14 UTC
Tentative patch (not tested):

diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c
index cc24a6c1b52..df4b50f2639 100644
--- a/source4/dns_server/dnsserver_common.c
+++ b/source4/dns_server/dnsserver_common.c
@@ -48,7 +48,7 @@ uint8_t werr_to_dns_err(WERROR werr)
        } else if (W_ERROR_EQUAL(DNS_ERR(NAME_ERROR), werr)) {
                return DNS_RCODE_NXDOMAIN;
        } else if (W_ERROR_EQUAL(WERR_DNS_ERROR_NAME_DOES_NOT_EXIST, werr)) {
-               return DNS_RCODE_NXDOMAIN;
+               return DNS_RCODE_OK;
        } else if (W_ERROR_EQUAL(DNS_ERR(NOT_IMPLEMENTED), werr)) {
                return DNS_RCODE_NOTIMP;
        } else if (W_ERROR_EQUAL(DNS_ERR(REFUSED), werr)) {