Csv2 zonefile syntax check

Sam Trenholme strenholme.usenet at gmail.com
Sat Nov 27 11:25:47 EST 2010 

> MaraDNS doesn't feature a switch or a separate tool which just takes a
> zone file and checks it for syntax errors, is that correct?
>
> It is a nice-to-have feature for a startup script - don't kill the
> existing daemon if you can't load the new configuration.

Keep in mind that, unless started with an external "daemonizer" like
Duende, MaraDNS places on standard output all messages.  So, to have
something like this is simply a matter of either:

* Having a program send MaraDNS a TERM signal a few seconds after
starting, and putting MaraDNS' output in a file, grepping for
problems.  This can be easily done in Bash:

maradns > foo &
sleep 5
kill %1

* Making a "hacked" compile of MaraDNS with an exit(0) before the part
of the code that waits for packets on port 53.  Use this modified
compile to check for errors before starting the real MaraDNS.

> BTW, my first post here as a fresh MaraDNS user - great software, glad
> you got the job, and pity for stopping the development (though totally
> understandable).

True enough.  However, I still fix bugs in MaraDNS when I have time.
Right now, I know of the following problems in MaraDNS:

* MaraDNS does not correctly handle the corner case of having too many
records to answer an authoritative ANY query too large to fit in a
512-byte DNS packet.

* Deadwood is having a hard time resolving *.ebay.com queries.  The
issue appears to be because Deadwood does not use cached CNAME entries
to speed up resolving a name (if one has "example.com +86400 CNAME
example.net" and "example.net +300 A 10.1.2.3", Deadwood needs to
contact two instead of one nameserver to resolve example.com five
minutes later, even though that CNAME stays in Deadwood's cache for a
day)

* Deadwood can not resolve urbandictionary.com.  The issue here
appears to be that concatenating the CNAME chain that
urbandictionary.com with the long list of IPs urbandictionary.com has
results in a packet that does not fit in 512 bytes.

* Deadwood's built-in "DNSwall" functionality only filters RFC1918
IPs, and not all IPs an attacker may use with the "resolve a name to a
local IP to escalate privileges" attack.  I actually have already
fixed this, but I need to make sure people updating know about the
impact of this change.

I hope to, in a couple of months, have a new MaraDNS release with
these issues resolved.

- Sam

More information about the list mailing list