Bug#692116: /usr/bin/nsupdate: nsupdate: wrongly escapes semicolons in updates

Wed, 23 Oct 2013 02:42:49 -0700 

>>>>> Benoit Panizzon <paniz...@woody.ch> writes:

 > Package: dnsutils Version: 1:9.7.3.dfsg-1~squeeze7 Severity: normal
 > File: /usr/bin/nsupdate

 > When someone uses DNSSEC signed zones, you don't go and edit those
 > zonefiles manualy as this would break the signatures.

 > So you use nsupdate to manage your zones, so bind can take care of
 > correct signatures.

 > Now I wanted to start using DKIM and update my zone with a TXT record
 > containing the public key:

[…]

 > mail._domainkey.woody.ch. 300   IN      TXT     "v=DKIM1\; g=*\; k=rsa\; 
 > p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoPEw05hVDRt7ogyCMkrdfIJqA2Byrf/i+c9oGhNRS1YTGohtUjaZibbcg44Tw9Sbx9OxmR+jauhGprUKTF9vXFRe4hBvFdXE1PNw/L5x8Sb9UJ8SCdKLn3tyBEKqaqEIbYy7UFeZuE6MwLn1crGyOie0xiOgyzoWMP4/9WW7/5QIDAQAB"

 > nsupdate is wrongly adding a "\" character before all the ";"
 > characters.

 > Is there a chance for this to be fixed in a future update?

        Somehow, I belive it isn’t a bug, but rather a feature of the
        ‘show’ nsupdate(1) subcommand.  Consider, for instance (as of
        1:9.7.3.dfsg-1~squeeze6):

> update add      a2013295._domainkey.siamics.net.        86400   IN      TXT   
>  k=rsa; t=s; 
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwfB7heSXsla7eqbkZGy673aysYdM6BsdIt/dJEG/BC3TZmFTjPdSRZa2uceLVKfvjm1SqfXpD3a+utLrmjPQsIAvhfy2TXvzag9ggVpARFKQ6MqEQCHTYT4QplZ7Lc5jzpX+KMyyAQwTYJekoUQc3pMHXxYUpdulDfrSs4JQWOwIDAQAB
>  
> show 
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a2013295._domainkey.siamics.net. 86400 IN TXT   "k=rsa\;" "t=s\;" 
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwfB7heSXsla7eqbkZGy673aysYdM6BsdIt/dJEG/BC3TZmFTjPdSRZa2uceLVKfvjm1SqfXpD3a+utLrmjPQsIAvhfy2TXvzag9ggVpARFKQ6MqEQCHTYT4QplZ7Lc5jzpX+KMyyAQwTYJekoUQc3pMHXxYUpdulDfrSs4JQWOwIDAQAB"

> 

        Now, despite the escaped semicolons in the ‘show’ output, as
        well as the one of dig(1) (see below), the signatures appear to
        pass validation performed by check-auth at verifier.port25.com.

$ dig +short txt a2013295._domainkey.siamics.net. 
"k=rsa\;" "t=s\;" 
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwfB7heSXsla7eqbkZGy673aysYdM6BsdIt/dJEG/BC3TZmFTjPdSRZa2uceLVKfvjm1SqfXpD3a+utLrmjPQsIAvhfy2TXvzag9ggVpARFKQ6MqEQCHTYT4QplZ7Lc5jzpX+KMyyAQwTYJekoUQc3pMHXxYUpdulDfrSs4JQWOwIDAQAB"
$ 

-- 
FSF associate member #7257


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to