3
4
Fork
You've already forked validns
5

feat: render full NSAP/TLSA/SMIMEA/RP/L64/NID rdata in verbose output #141

Merged
jelu merged 10 commits from tobez/validns:stage5-presentation-form into main 2026年07月09日 10:59:53 +02:00
Collaborator
Copy link

Next in the *_human round-trip series. Several -v rdata renderers emitted
incomplete or invalid presentation form that could not round-trip to the same
wire format:

  • NSAP rendered a placeholder instead of the rdata.
  • TLSA / SMIMEA cut off the association data with ....
  • RP wrapped both domain names in double quotes.
  • L64 / NID dropped zero-padding on the 64-bit locator/node-id — and
    truncated the value itself (below).
  • ZONEMD used a fixed 129-byte buffer with a dead ">64 bytes" fallback.

All now render in full, valid presentation form via a shared dynamically-sized
hex helper, so each re-parses to identical wire format.

Also fixes two pre-existing 64-bit truncation bugs behind L64/NID:

  • Parse: the group accumulator was a uint8_t, masking the value to its
    low 8 bits.
  • Wire: the 8-byte field was written with htonl (32-bit), so validns
    computed wrong wire rdata for NID/L64 and couldn't verify their RRSIGs; now
    encoded big-endian.

A signed fixture and a splice capstone prove wire-identity: each rendered record
is spliced back into the signed zone and the RRSIGs still verify.

Next in the `*_human` round-trip series. Several `-v` rdata renderers emitted incomplete or invalid presentation form that could not round-trip to the same wire format: - **NSAP** rendered a placeholder instead of the rdata. - **TLSA / SMIMEA** cut off the association data with `...`. - **RP** wrapped both domain names in double quotes. - **L64 / NID** dropped zero-padding on the 64-bit locator/node-id — and truncated the value itself (below). - **ZONEMD** used a fixed 129-byte buffer with a dead ">64 bytes" fallback. All now render in full, valid presentation form via a shared dynamically-sized hex helper, so each re-parses to identical wire format. Also fixes two pre-existing 64-bit truncation bugs behind L64/NID: - **Parse:** the group accumulator was a `uint8_t`, masking the value to its low 8 bits. - **Wire:** the 8-byte field was written with `htonl` (32-bit), so validns computed wrong wire rdata for NID/L64 and couldn't verify their RRSIGs; now encoded big-endian. A signed fixture and a splice capstone prove wire-identity: each rendered record is spliced back into the signed zone and the RRSIGs still verify.
chore: consolidate L64/NID 64-bit changelog fragments
Some checks reported errors
test / scan-build (pull_request) Failing after 1s
test / centos (pull_request) Failing after 1s
test / ubuntu (pull_request) Failing after 1s
test / debian (pull_request) Failing after 1s
builds.sr.ht/freebsd Job failed
builds.sr.ht/openbsd Job failed
e7e80183e0
@ -81,0 +79,4 @@
char prefix[32];
char* hex = encode_hex_temp((const unsigned char*)rr->association_data.data,
rr->association_data.length);
int pl = snprintf(prefix, sizeof(prefix), "%d %d %d ",
Owner
Copy link

no check if snprintf fails or overflows

no check if `snprintf` fails or overflows
jelu marked this conversation as resolved
@ -75,1 +73,3 @@
int i;
char prefix[64];
char* hex = encode_hex_temp((const unsigned char*)rr->digest.data, rr->digest.length);
int pl = snprintf(prefix, sizeof(prefix), "%u %d %d ",
Owner
Copy link

no check if snprintf fails or overflows

no check if snprintf fails or overflows
jelu marked this conversation as resolved
fix: ship hex.h in distribution tarball
Some checks failed
test / ubuntu (pull_request) Failing after 0s
test / centos (pull_request) Failing after 0s
test / scan-build (pull_request) Failing after 0s
test / debian (pull_request) Failing after 0s
builds.sr.ht/freebsd Job completed
builds.sr.ht/openbsd Job completed
a12c21774c
fix: check snprintf result before sizing TLSA/ZONEMD render buffers
All checks were successful
builds.sr.ht/freebsd Job completed
builds.sr.ht/openbsd Job completed
test / debian (pull_request) Successful in 32s
test / ubuntu (pull_request) Successful in 33s
test / centos (pull_request) Successful in 51s
test / scan-build (pull_request) Successful in 1m7s
850705582c
@ -81,0 +79,4 @@
char prefix[32];
char* hex = encode_hex_temp((const unsigned char*)rr->association_data.data,
rr->association_data.length);
int pl = snprintf(prefix, sizeof(prefix), "%d %d %d ",
Author
Collaborator
Copy link

Fixed in 8507055: pl is now checked (pl < 0 || pl >= sizeof(prefix)) and the method returns NULL on failure, matching the existing ds.c/nsec3.c pattern. The caller in rr.c already handles NULL rdata. In practice the fields are uint8_t so the 32-byte buffer cannot overflow, but the unchecked return was feeding an allocation size, so the check belongs there regardless.

Fixed in 8507055: `pl` is now checked (`pl < 0 || pl >= sizeof(prefix)`) and the method returns NULL on failure, matching the existing ds.c/nsec3.c pattern. The caller in rr.c already handles NULL rdata. In practice the fields are uint8_t so the 32-byte buffer cannot overflow, but the unchecked return was feeding an allocation size, so the check belongs there regardless.
@ -75,1 +73,3 @@
int i;
char prefix[64];
char* hex = encode_hex_temp((const unsigned char*)rr->digest.data, rr->digest.length);
int pl = snprintf(prefix, sizeof(prefix), "%u %d %d ",
Author
Collaborator
Copy link

Fixed in 8507055, same check as tlsa.c (pl < 0 || pl >= sizeof(prefix) → return NULL).

Fixed in 8507055, same check as tlsa.c (`pl < 0 || pl >= sizeof(prefix)` → return NULL).
Owner
Copy link

#build

#build
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
DNS-OARC/validns!141
Reference in a new issue
DNS-OARC/validns
No description provided.
Delete branch "tobez/validns:stage5-presentation-form"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?