sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-15 23:06:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

[client] Fix RFC 4592 wildcard matching for existing domain names (#5145)

Browse Source 
Per RFC 4592 section 2.2.1, wildcards should only match when the queried
name does not exist in the zone. Previously, if host.example.com had an
A record and *.example.com had an AAAA record, querying AAAA for
host.example.com would incorrectly return the wildcard AAAA instead of
NODATA.

Now the resolver checks if the domain exists (with any record type)
before falling back to wildcard matching, returning proper NODATA
responses for existing names without the requested record type.
This commit is contained in:
Maycon Santos
2026-01-21 08:48:32 +01:00
committed by GitHub
parent e01998815e
commit 030650a905
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
client/internal/dns/local/local.go
View File

@@ -201,9 +201,13 @@ func (d *Resolver) lookupRecords(logger *log.Entry, question dns.Question) looku
records, found := d.records[question]
usingWildcard := false
wildQuestion := transformToWildcard(question)
// RFC 4592 section 2.2.1: wildcard only matches if the name does NOT exist in the zone.
// If the domain exists with any record type, return NODATA instead of wildcard match.
if !found && supportsWildcard(question.Qtype) {
records, found = d.records[wildQuestion]
usingWildcard = found
if _, domainExists := d.domains[domain.Domain(question.Name)]; !domainExists {
records, found = d.records[wildQuestion]
usingWildcard = found
}
}
if !found {

4
client/internal/dns/local/local_test.go
View File

@@ -2506,8 +2506,10 @@ func TestLocalResolver_MixedRecordTypes(t *testing.T) {
resolver.ServeDNS(&test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { respAAAA = m; return nil }}, msgAAAA)
require.NotNil(t, respAAAA)
// host.example.com exists (has A), so AAAA query returns NODATA, not wildcard
// RFC 4592 section 2.2.1: wildcard should NOT match when the name EXISTS in zone.
// host.example.com exists (has A record), so AAAA query returns NODATA, not wildcard.
assert.Equal(t, dns.RcodeSuccess, respAAAA.Rcode, "Should return NODATA for existing host without AAAA")
assert.Len(t, respAAAA.Answer, 0, "RFC 4592: wildcard should not match when name exists")
// AAAA query for other host should return wildcard AAAA
msgAAAAOther := new(dns.Msg).SetQuestion("other.example.com.", dns.TypeAAAA)