Page MenuHomeVyOS Platform
Create Task
Maniphest T6893

DNS forwarding: problem with load root zone to cache
Open, LowPublicBUG
Actions

Description

https://github.com/vyos/vyos-1x/pull/3896#issuecomment-2481827795

when I try to add root zone . as per https://docs.powerdns.com/recursor/lua-config/ztc.html#example
I get node.tag auto complete.

vyos@vyos# set service dns forwarding zone-cache . 
Possible completions:
 > node.tag             Load a zone into the recursor cache

then /run/pdns-recursor/recursor.conf.lua ends up being

zoneToCache("node.tag", "url", "https://www.internic.net/domain/root.zone", { dnssec = "validate", zonemd = "validate", maxReceivedMBytes = 0, retryOnErrorPeriod = 60, refreshPeriod = 86400, timeout = 20 })

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

HollyGurza created this task.Nov 18 2024, 6:06 AM
HollyGurza changed the subtype of this task from "Task" to "Bug".
HollyGurza updated the task description. (Show Details)
pasik subscribed.Nov 18 2024, 8:01 AM
ruffy91 subscribed.EditedWed, Jan 7, 9:10 PM

I am also affected by this issue, I think the use case to cache the root zone should be the most used one of the zone-to-cache feature.

The problem is on this line: https://github.com/vyos/vyos-1x/blame/041b990ae1662b4ac7fe2fc4b62e1f624f5d6c9a/interface-definitions/service_dns_forwarding.xml.in#L804
It uses the "fqdn" validator for the zone name which uses this regex: '[A-Za-z0-9][-.A-Za-z0-9]*' it unfortunately does not allow a dot to stand alone.

I think the way forward should be to modify the "fqdn" validator to correctly validate relative and absolute FQDNs and also allow '.' to stand alone. As '.' is the correct FQDN for the root zone itself.

Is anyone aware of possible side effects when this would be corrected?

Also there are some other restrictions missing from that validator (labels not longer than 63 octets, FQDN not longer than 255 characters, no hyphen at start or end of a label allowed) which probably should be added, however they are not relevant to this case.

Edit: reflecting about this fqdn is not the right validator. There should be one for zone names. Because we should also allow .net or .example.net, as well as .net. and .example.net., however they are not fqdn as the are missing a leftmost label.