Hacker News new | past | comments | ask | show | jobs | submit login
Fuzzing DNS Zone Parsers (cambus.net)
57 points by fcambus 9 days ago | hide | past | web | favorite | 8 comments

This is a little disturbing; nsd is kind of a big deal, and afl on zone files is a pretty basic test to run. Kudos to the author for doing it, but why haven't the authors of nsd done it already, and what else haven't they done?

There is really no good reason for DNS servers to be written in C anymore.

> There is really no good reason for DNS servers to be written in C anymore.

I’m a little behind on docs, but we have a pretty decent start on one in Rust: https://github.com/bluejekyll/trust-dns

We still need an AXFR, IXFR, or replication solution.

Also, I haven’t had time to fuzz the zone parsers, so I can’t guarantee we’re resilient to the above yet, but the packet parsers are getting pretty widely used across multiple Rust projects now through the trust-dns-resolver library.

What's wrong with rsync?

Nothing. Depends on the mode of operation we want to support. I want to support that, but we need to add some signal handling (or similar mechanism) to properly reload configs after an raunchy is done.

Right now a restart would be required.

Simply not true and a matter of opinion.

Nobody knows how to parse zone files.

I fuzzed a few zone file parsers several years ago, but to find the differences between implementations rather than crashes.

The problem is the format is really poorly specified, has been refined over about 10 RFCs, and still riddled with ambiguities. Every implementation out there handles things slightly differently.

I'll just dump some notes I wrote at the time, containing a list of RFCs and some findings, to gist:


Off topic: Hello from the person who forked synergy a couple of years ago :)

Excellent! Would you be willing to do a second article on the process you used when wading through the findings?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact