When using dig from bind-tools with +trace to walk the delegation path, dig produces errors on full delegations including IDN names. When a delegation including a NS with IDN is hit during walkign the path, dig reports a <<couldn't get address for 'IDN NS': not found>> error. bind-tools 9.9.x does not exhibit this error Reproducible: Always Steps to Reproduce: Use dig with USE="IDN" and +trace ona delegation path including NSes with IDN (Punycode) names. See an error for getting the IDN named NS addresses. Actual Results: Problems during delegation with IDN names. Expected Results: Clean path walk even when IDN names are used. As stated above this bug was introduced in the 9.10 branch of bind-tools. 9.9x seems to work fine.
Further Info: While 9.9 does not produce an error output it seems that neither 9.9 nor 9.10 ever use the NS with IDN(Punycode) name in the delegation. Rebuilding bind-tools with USE="-idn" exposes the Punycode name (Instead of IDN names) and all NSes in the delegation are used equally.
(In reply to Sven E. from comment #0) > Steps to Reproduce: Here is where you would put an actual example of dig failing. That is, the entire command plus its output. Also, post your `emerge --info net-dns/bind-tools' output in a comment.
Portage 2.2.15 (python 2.7.9-final-0, hardened/linux/amd64, gcc-4.8.3, glibc-2.20-r1, 3.4.76 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.4.76-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5400+-with-gentoo-2.2 KiB Mem: 4016600 total, 504616 free KiB Swap: 6294504 total, 6194820 free Timestamp of tree: Sun, 04 Jan 2015 03:15:01 +0000 sh bash 4.3_p33 ld GNU ld (GNU Binutils) 2.24 distcc 3.2rc1 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.3_p33 dev-java/java-config: 2.2.0 dev-lang/perl: 5.20.1-r4 dev-lang/python: 2.7.9-r1, 3.2.5-r6, 3.3.5-r1, 3.4.2 dev-util/cmake: 3.0.2 dev-util/pkgconfig: 0.28-r2 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6-r1, 1.12.6, 1.14.1 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.6.4, 4.7.4, 4.8.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.4 sys-devel/make: 4.1-r1 sys-kernel/linux-headers: 3.18 (virtual/os-headers) sys-libs/glibc: 2.20-r1 Repositories: gentoo DarKperimental ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build=n" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://ftp.uni-frankfurt.de/pub/Mirrors/gentoo.org/ http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X acl amd64 apache2 berkdb bzip2 cairo caps cli consolekit cracklib crypt cxx dbus dri fortran gdbm geoip gnome-keyring gnutls gpm gtk3 hardened iconv idn imap ipv6 java jpeg justify libnotify lzma lzo mmx modules multilib mysql nautilus ncurses nls nptl ogg openmp pam pax_kernel pcre perl png policykit postgres python readline ruby session snmp speex sqlite3 sse sse2 ssl startup-notification taglib tcpd theora unicode urandom vhosts xattr xml xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias authz_core authz_host authz_user auth_digest authn_core authn_file autoindex cgi deflate dir env expires ext_filter filter headers include log_config logio mime mime_magic negotiation rewrite setenvif socache_shmcb unixd" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="arm i386 x86_64" QEMU_USER_TARGETS="arm armeb i386 x86_64" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= net-dns/bind-tools-9.10.1_p1 was built with the following: USE="idn ipv6 readline ssl urandom xml -doc -gost -gssapi" ABI_X86="64" CFLAGS="-march=athlon64 -O2 -pipe -DDIG_SIGCHASE"
>> dig +trace www.verfeiert.org <...> verfeiert.org. 86400 IN NS haruspex.eschenberg.eu. verfeiert.org. 86400 IN NS filémon.verfeiert.org. verfeiert.org. 86400 IN NS mortadello.verfeiert.org. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20150125210415 20150104200415 53348 org. FhrdsWYIGoVNbUbkMGdiYCD+tGT6qBDyj3xwYDfXbRvZqjf+34HqgO2G RfwsLC4ltVsdqIMlCpacGOlCcgxAkxejxUGo18qZVlhd5EbvARo9E8i4 zeTKPMxeKn8sKQyU6OfIVovh9TjMlv6X6FxLGBk4arw9HsQxtkz+IRId ccw= 1rkc8brp3drb9pco5639t770grhemd1e.org. 86400 IN NSEC3 1 1 1 D399EAAB 1RM3QF34BFI90AU7AQ7KEKBCFHVE5UFV NS DS RRSIG 1rkc8brp3drb9pco5639t770grhemd1e.org. 86400 IN RRSIG NSEC3 7 2 86400 20150122163315 20150101153315 53348 org. cjubVMMERPaunkWvEGCxQEKTuWvemK4jCTyzMIaExtVYzDUuENidJFZR /bNY3U5JE+41I+lk4+VU1+4ds9pV2cmrtPt7I0BQvaTRiZPQUYMRidn6 MVbAUrrLWz53f5K3ragEKmZ85J4pRU2e9YainTz2I0UN30F3lWPHrqet 7ZM= couldn't get address for 'filémon.verfeiert.org': not found ;; Received 677 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 29 ms <...> Additionally filémon is never considered during delgation. (Well, that's obvious, if getting it's address 'fails') With 9.9 The error message disappears, filémon is still not considered. Building with -idn fixes all problems, all relevant delegations are used and no error is reported. >> dig NS verfeiert.org @c0.org.afilias-nst.info ;; AUTHORITY SECTION: verfeiert.org. 86400 IN NS haruspex.eschenberg.eu. verfeiert.org. 86400 IN NS mortadello.verfeiert.org. verfeiert.org. 86400 IN NS filémon.verfeiert.org. ;; ADDITIONAL SECTION: mortadello.verfeiert.org. 86400 IN A 141.2.119.130 filémon.verfeiert.org. 86400 IN A 141.2.118.239 filémon.verfeiert.org. 86400 IN A 141.2.119.129 The delegation itself is intact. Without idn support the output is done in Punycode (obviously) and all possible delegations are used. For the sake of completeness: >> dig +trace www.verfeiert.org <...> verfeiert.org. 86400 IN NS haruspex.eschenberg.eu. verfeiert.org. 86400 IN NS xn--filmon-dva.verfeiert.org. verfeiert.org. 86400 IN NS mortadello.verfeiert.org. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20150125211417 20150104201417 53348 org. Ed7lPnz1ZpzhASQad9lb6Rb/2mXrsZ9ic4JhmLK2mWq/dwRZjhLAnbNd 0RM8GruaOYWNVX1aKkqnAFZudL7K7M65EQmHOyYtGU2b7HyA83ZOApXM aQwrLEJTHnH+t7XX2jy//UxjTo3361J8hYHEbM1vlG/cNtVNJUEYNhzy bKI= 1rkc8brp3drb9pco5639t770grhemd1e.org. 86400 IN NSEC3 1 1 1 D399EAAB 1RM3QF34BFI90AU7AQ7KEKBCFHVE5UFV NS DS RRSIG 1rkc8brp3drb9pco5639t770grhemd1e.org. 86400 IN RRSIG NSEC3 7 2 86400 20150122163315 20150101153315 53348 org. cjubVMMERPaunkWvEGCxQEKTuWvemK4jCTyzMIaExtVYzDUuENidJFZR /bNY3U5JE+41I+lk4+VU1+4ds9pV2cmrtPt7I0BQvaTRiZPQUYMRidn6 MVbAUrrLWz53f5K3ragEKmZ85J4pRU2e9YainTz2I0UN30F3lWPHrqet 7ZM= ;; Received 677 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 88 ms www.verfeiert.org. 86400 IN A 141.2.119.130 verfeiert.org. 86400 IN NS mortadello.verfeiert.org. verfeiert.org. 86400 IN NS wiseowl.verfeiert.org. verfeiert.org. 86400 IN NS xn--filmon-dva.verfeiert.org. ;; Received 218 bytes from 141.2.119.129#53(xn--filmon-dva.verfeiert.org) in 1 ms <...> Without idn support xn--filmon-dva.verfeiert.org is indeed queried.
Extra fun for more insight: >> dig filémon.verfeiert.org @mortadello.verfeiert.org ;; ANSWER SECTION: filémon.verfeiert.org. 86400 IN A 141.2.119.129 filémon.verfeiert.org. 86400 IN A 141.2.118.239 >> dig filémon.verfeiert.org @filémon.verfeiert.org dig: couldn't get address for 'filémon.verfeiert.org': not found (Note that this seems to be the exact same error message that is thrown during trace) >> dig filémon.verfeiert.org @$(idn filémon.verfeiert.org) ;; ANSWER SECTION: filémon.verfeiert.org. 86400 IN A 141.2.119.129 filémon.verfeiert.org. 86400 IN A 141.2.118.239 --- Looks like there's a common place/routine where IDN<>PUNYCODE conversion is broken.
I looked into the dig QUERY @IDN-HOST case: dig passes down the IDN representation right into the resolver lib. As I doubt the resolver lib interface accepts IDN representations, dig would have to properly convert the name to punycode. For the original bug: the child during trace returns the records in punycode and passes them on to the parent dig process. For output this punycode is converted to idn representation and output to the user. Now instead of using the punycode result dig pushes down the idn representation as is into the child which in turn seems to send the idn representation as is into the resolver lib. Even if the child would properly convert the name to punycode it seems quite stupid to not reuse the punycode answer directly.
Now dig basicly does no idn processing at all, i.e. +idnout has no effect and names are printed in Punycode all the time. So this is pretty much as compiling with USE="-idn". Doing dig <idnname> does not work either. (This at least used to work with USE="idn".)
