SIGSEGV in rbtree_find_less_equal

Chris_LaVallee1 · October 2, 2024, 2:57pm

Hi,

I found a reproducible seg fault with a DNSSEC signed zone and overlapping config. I’m running NSD 4.10.1. Here’s how to reproduce.

2 zones in nsd.conf:

zone:
name: “foo.com.”
zonefile: “/zones/foo.com.zone.signed”

zone:
name: “bar.foo.com.”
zonefile: “/zones/bar.foo.com.zone”

Zone files:

foo.com.zone.signed is DNSSEC signed with a record for a.bar (A record or anything)
bar.foo.com.zone doesn’t exist (but it’s in nsd.conf shown above)

Steps:

Startup NSD
touch foo.com.zone.signed
reload NSD

nsd.log will say:
[2024-10-02 07:19:58.691] nsd[962739]: info: control cmd: reload
[2024-10-02 07:19:58.845] nsd[962752]: error: handle_reload_cmd: reload closed cmd channel
[2024-10-02 07:19:58.845] nsd[962752]: warning: Reload process 962740 failed, continuing with old database

core dump says SIGSEGV in rbtree_find_less_equal

Chris LaVallee
Edgio (formally EdgeCast Networks)

Jeroen_Koekkoek1 · October 8, 2024, 6:14am

Hi Chris,

Thanks for reporting! I'll look into this.

- Jeroen

Jeroen_Koekkoek1 · October 8, 2024, 12:33pm

Hi Chris,

I'm having trouble trying to reproduce the issue locally.

Like you I configure two zones.

zone:
name: example.com.
zonefile: example.com.zone.signed

zone:
name: bar.example.com.
zonefile: bar.example.com.zone

The file bar.example.com.zone does not exist. After touching and
reloading the signed zone, no segfault occurs. I've tried with and
without the "--disable-radix-tree" configure option (as the error
occurs in the rbtree). I've also tried with example.com. being an NSEC
and NSEC3 zone.

Can you provide some more details?

Best regards,
Jeroen

Chris_LaVallee1 · October 8, 2024, 2:07pm

Hi Jeroen,

Attached is the zone I used. Did you add the record for a.bar ?

Ex:

a.bar 300 IN NS ns.somewhere.net.

Chris

(attachments)

foo.com.zone.signed.txt (4.67 KB)

Jeroen_Koekkoek1 · October 9, 2024, 11:53am

Hi Chris,

I can reproduce with your zone. Thanks!

Best,
Jeroen

Jeroen_Koekkoek1 · October 16, 2024, 10:18am

Hi Chris,

I've properly started looking into this yesterday. NSD definitely
shouldn't crash, still working on that.

However, the provided zone is invalid too(?) I'm not the foremost
expert on NSEC3 (or even DNSSEC), but is seems an NSEC3 is missing for
bar.foo.com. Empty non-terminals should still have an NSEC3 RR.

(Of course, the delegation point should be at bar.foo.com. too and
a.bar.foo.com. is an occluded name and this situation is purely
hypothetical).

I used the attached zone file along with the following commands to
generate a zone file to The input I used to generate:

ldns-keygen -a 13 -k foo.com
dnssec-signzone -3 AA61D5A398769C09 -H 0 -S -A -z -o foo.com.
foo.com.zone Kfoo.com.+013+58636

Doesn't get me the exact the same thing, but good enough to get the
same segfault.

- Jeroen

(attachments)

foo.com.zone (291 Bytes)

Chris_LaVallee1 · October 16, 2024, 2:30pm

Hi Jeroen,

In the case that triggered this crash for us, someone typo-ed nsd.conf by adding the zone “bar.foo.com” (which didn’t exist). They meant to add a different zone name.

Chris

Jeroen_Koekkoek1 · October 23, 2024, 12:13pm

Hi Chris,

I've merged the commit that resolves the issue
(https://github.com/NLnetLabs/nsd/pull/389). The next release will
include it. Thanks again for reporting.

Also, a statement in my previous response was incorrect.

RFC 5155 says:
Each empty non-terminal MUST have a corresponding NSEC3 RR, unless the
empty non-terminal is only derived from an insecure delegation covered
by an Opt-Out NSEC3 RR.

Best regards,
Jeroen

Chris_LaVallee1 · October 23, 2024, 3:10pm

I confirmed the fix here