[RPZ] RPZ / bind load bug?

Shumon Huque shuque at upenn.edu
Wed May 29 18:31:26 UTC 2013


On Wed, May 29, 2013 at 01:42:58AM +0000, Francis Turner wrote:
> I'm not positive that this is a bug - or if it is that it is an RPZ bug per se - but we're seeing bind load errors when we try to create RPZ zones with certain domains in them. I'd appreciate anyone ideas on what we can to do stop this (beyond not loading these kinds of domain - which is possible but does kind of defeat the object of the exercise...)
> 
> The domains look like this (they are phishing domians)
> 
> paypal.com.uk.cmd.cgi-bin.4c6da88992553d0d43ff7d8dbe19c1133279c9a98f445fff9e2de3dd9a35cd.535125ee83828ec61a1888291c588fd9dc096297a1e972d037a14b15663498.806a02ea02f2846dd2aee0300a20dfe587e5ed4f8d3fdc281cb36a171f0178.umedial.de
> 
> And the error we get when loading them is
> 
> May 27 01:04:14 rpz named[29830]: general: error: dns_master_load: /srv/www/bind/rpz/includes/desktop.rpz.threatstop.local.include.txt:4787: ran out of space
> 
> The actual FQDN including the RPZ header is 253 bytes long (it's the above plus desktop.rpz.threatstop.local) and so far as I can tell this is an entirely legit FQDN (less that 255 total, max 63 chars per section). Moreover the error 'out of space' isn't one that implies an illegal name.

This domain name is 1 octet longer than the maximum allowable 255
octets. Each labels have an initial octet that contains its size 
in the last six bits. Here's a quick calculation in Python:

>>> name ='paypal.com.uk.cmd.cgi-bin.4c6da88992553d0d43ff7d8dbe19c1133279c9a98f445fff9e2de3dd9a35cd.535125ee83828ec61a1888291c588fd9dc096297a1e972d037a14b15663498.806a02ea02f2846dd2aee0300a20dfe587e5ed4f8d3fdc281cb36a171f0178.umedial.de.desktop.rpz.threatstop.local.'

>>> [len(x)+1 for x in name.split('.')]
[7, 4, 3, 4, 8, 63, 63, 63, 8, 3, 8, 4, 11, 6, 1]        // label lengths

>>> sum(_)
256

-- 
Shumon Huque
University of Pennsylvania.



More information about the DNSfirewalls mailing list