plugin/file: canonicalize escape form in owner names (#8109)

The miekg/dns zone parser preserves whichever text form the input used for an escaped byte. RFC 1035 §5.1 lets the same byte appear as \DDD (decimal) or \c (literal character), so a zone file written with has\046dot.campus.edu. is stored under that literal string. Incoming queries, by contrast, arrive on the wire and are unpacked by miekg/dns into the canonical form has\.dot.campus.edu. The two strings don't compare equal in the tree, so the record is silently unreachable. Pack-then-unpack the owner name on Insert so the stored key uses the same canonical form as anything that comes off the wire. Only runs when the name contains a backslash, so the common case is a no-op string compare. Fixes #8012 Signed-off-by: Charlie Tonneslan <cst0520@gmail.com>
2026-05-25 19:30:23 -04:00 · 2026-05-19 21:08:16 -04:00
parent 6f4be7103a
commit f4f767fb4e
2 changed files with 94 additions and 1 deletions
--- a/plugin/file/escape_test.go
+++ b/plugin/file/escape_test.go
@@ -0,0 +1,69 @@
+package file
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/coredns/coredns/plugin/pkg/dnstest"
+	"github.com/coredns/coredns/plugin/test"
+
+	"github.com/miekg/dns"
+)
+
+const dbEscapeOwner = `campus.edu.              500 IN SOA ns1.outside.edu. root.campus.edu. 8 6048 4000 2419200 6048
+campus.edu.              500 IN NS  ns1.outside.edu.
+has\046dot.campus.edu.   500 IN A   192.0.2.2
+`
+
+// TestLookupOwnerNameWithDecimalEscape covers RFC 1035 §5.1 \DDD escape
+// notation in owner names. The miekg/dns parser preserves whichever text
+// form the zone file used (\046 vs \.), but incoming queries arrive as
+// the canonical wire-unpacked form (\.). Without normalization the two
+// strings don't compare equal and the record is silently unreachable.
+func TestLookupOwnerNameWithDecimalEscape(t *testing.T) {
+	const origin = "campus.edu."
+	zone, err := Parse(strings.NewReader(dbEscapeOwner), origin, "stdin", 0)
+	if err != nil {
+		t.Fatalf("Parse: %v", err)
+	}
+
+	fm := File{Next: test.ErrorHandler(), Zones: Zones{Z: map[string]*Zone{origin: zone}, Names: []string{origin}}}
+	ctx := context.TODO()
+
+	// The wire form of the owner name is h-a-s-.-d-o-t (one label,
+	// seven bytes), which UnpackDomainName turns into "has\.dot".
+	tc := test.Case{
+		Qname: `has\.dot.campus.edu.`, Qtype: dns.TypeA,
+		Answer: []dns.RR{
+			test.A(`has\.dot.campus.edu.	500	IN	A	192.0.2.2`),
+		},
+		Ns: []dns.RR{
+			test.NS(`campus.edu.	500	IN	NS	ns1.outside.edu.`),
+		},
+	}
+
+	rec := dnstest.NewRecorder(&test.ResponseWriter{})
+	if _, err := fm.ServeDNS(ctx, rec, tc.Msg()); err != nil {
+		t.Fatalf("ServeDNS: %v", err)
+	}
+	if err := test.SortAndCheck(rec.Msg, tc); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestCanonicalEscape(t *testing.T) {
+	cases := []struct {
+		in, want string
+	}{
+		{`has\046dot.campus.edu.`, `has\.dot.campus.edu.`},
+		{`has\.dot.campus.edu.`, `has\.dot.campus.edu.`},
+		{`plain.campus.edu.`, `plain.campus.edu.`},
+		{`a\009b.campus.edu.`, `a\009b.campus.edu.`}, // tab stays \DDD (unprintable)
+	}
+	for _, tc := range cases {
+		if got := canonicalEscape(tc.in); got != tc.want {
+			t.Errorf("canonicalEscape(%q) = %q, want %q", tc.in, got, tc.want)
+		}
+	}
+}