ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3792] New: NAPTR RR (RFC 3403) replacement MUST be a fully

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 30 Jul 2009 08:03:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3792

           Summary: NAPTR RR (RFC 3403) replacement MUST be a fully
                    qualified domain-name
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: ivan_jr@xxxxxxxxx



Ivan Sy <ivan_jr@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3438|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=3438)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3438)
NAPTR RR (RFC 3403) replacement MUST be a fully qualified domain-name

Build Information:
wireshark 1.2.1

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with libz
1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.7, without
c-ares, with ADNS, without Lua, with GnuTLS 2.6.4, with Gcrypt 1.4.4, without
Kerberos, with GeoIP, with PortAudio <= V18, without AirPcap.

Running on FreeBSD 7.2-RELEASE-p1, with libpcap version 1.0.0, GnuTLS 2.6.4,
Gcrypt 1.4.4.

Built using gcc 4.2.1 20070719  [FreeBSD].

--
steps:
1. capture a dns packet with NAPTR RR and the replacement text as a domain
name.

(example from rfc 3403 section 6.1)
IN NAPTR 100  50  "a"    "z3950+N2L+N2C"     ""   cidserver.example.com.
IN NAPTR 100  50  "a"    "rcds+N2C"          ""   cidserver.example.com.
IN NAPTR 100  50  "s"    "http+N2L+N2C+N2R"  ""   www.example.com.


2. Using wireshark 1.2.1, view the response DNS packet and observe the
resulting Replacement length and the Replacement. 

The replacement is just the first string in the domain name.

for example: cidserver.example.com" will result to
replacement length: 9
replacement: cidserver

see attached packet capture for sample, which contains multiple NAPTR values.

from RFC 3403 section 4.1 last paragraph

   REPLACEMENT
      A <domain-name> which is the next domain-name to query for
      depending on the potential values found in the flags field.  This
      field is used when the regular expression is a simple replacement
      operation.  Any value in this field MUST be a fully qualified
      domain-name.  Name compression is not to be used for this field.

      This field and the REGEXP field together make up the Substitution
      Expression in the DDDS Algorithm.  It is simply a historical
      optimization specifically for DNS compression that this field
      exists.  The fields are also mutually exclusive.  If a record is
      returned that has values for both fields then it is considered to
      be in error and SHOULD be either ignored or an error returned.


see attached patch and packet capture
done fuzzing.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube