From 96f4bcafb19106adfb3bb55dd9e40494fe6d0ddd Mon Sep 17 00:00:00 2001
From: Bozhan Liang <lbz@rivensbane.com>
Date: Sat, 14 Dec 2024 18:50:48 +0800
Subject: [PATCH 1/2] auth: prevent createReverse6 from generating illegal IDN
 record Closes #7524

---
 pdns/lua-record.cc                          | 10 +++++
 regression-tests.auth-py/test_LuaRecords.py | 48 ++++++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/pdns/lua-record.cc b/pdns/lua-record.cc
index 1f2344a881b5..d4b0cd36d74a 100644
--- a/pdns/lua-record.cc
+++ b/pdns/lua-record.cc
@@ -1047,6 +1047,16 @@ static void setupLuaRecords(LuaContext& lua) // NOLINT(readability-function-cogn
         string dashed=ip6.toString();
         boost::replace_all(dashed, ":", "-");
 
+        // https://github.com/PowerDNS/pdns/issues/7524
+        if (boost::ends_with(dashed, "-")) {
+          // "a--a-" -> "a--a-0"
+          dashed.push_back('0');
+        }
+        if (boost::starts_with(dashed, "-") || dashed.compare(2, 2, "--") == 0) {
+          // "-a--a" -> "0-a--a"               "aa--a" -> "0aa--a"
+          dashed.insert(0, "0");
+        }
+
         for(int i=31; i>=0; --i)
           fmt % labels[i];
         fmt % dashed;
diff --git a/regression-tests.auth-py/test_LuaRecords.py b/regression-tests.auth-py/test_LuaRecords.py
index 973d98568c87..9f837c188fe3 100644
--- a/regression-tests.auth-py/test_LuaRecords.py
+++ b/regression-tests.auth-py/test_LuaRecords.py
@@ -166,8 +166,14 @@ class TestLuaRecords(AuthTest):
 createforward6.example.org.                 3600 IN NS   ns1.example.org.
 createforward6.example.org.                 3600 IN NS   ns2.example.org.
 *                                                IN    LUA    AAAA  "filterForward(createForward6(), newNMG{{'2000::/3'}}, 'fe80::1')"
-        """
+        """,
 # the separate createforward6 zone is because some of the code in lua-record.cc insists on working relatively to the zone apex
+        'no-filter.createforward6.example.org': """
+no-filter.createforward6.example.org.       3600 IN SOA  {soa}
+no-filter.createforward6.example.org.       3600 IN NS   ns1.example.org.
+no-filter.createforward6.example.org.       3600 IN NS   ns2.example.org.
+*                                                IN    LUA    AAAA  "createForward6()"
+        """
     }
     _web_rrsets = []
 
@@ -1048,6 +1054,46 @@ def testCreateForwardAndReverse(self):
                 self.assertRcodeEqual(res, dns.rcode.NOERROR)
                 self.assertEqual(res.answer, response.answer)
 
+    def testCreateForwardAndReverseWithZero(self):
+        """
+        Fix #7524
+        """
+        expected = {
+            ".no-filter.createforward6.example.org." : (dns.rdatatype.AAAA, {
+                "0--0" : "::",
+                "0--1" : "::1",
+                "0aa--0" : "aa::",
+                "0aa--1" : "aa::1",
+                "2001--0" : "2001::",
+                "a-b--c" : "a:b::c",
+                "a--b-c" : "a::b:c"
+            }),
+            ".createreverse6.example.org." : (dns.rdatatype.PTR, {
+                "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0" : "0--0.example.com.",
+                "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0" : "0--1.example.com.",
+                "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.0.0" : "0aa--0.example.com.",
+                "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.0.0" : "0aa--1.example.com.",
+                "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2" : "2001--0.example.com.",
+                "c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.0.a.0.0.0" : "a-b--c.example.com.",
+                "c.0.0.0.b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.0.0.0" : "a--b-c.example.com."
+            })
+        }
+
+        for suffix, v in expected.items():
+            qtype, pairs = v
+            for prefix, target in pairs.items():
+                name = prefix + suffix
+
+                query = dns.message.make_query(name, qtype)
+                response = dns.message.make_response(query)
+                response.answer.append(dns.rrset.from_text(
+                    name, 0, dns.rdataclass.IN, qtype, target))
+
+                res = self.sendUDPQuery(query)
+                print(res)
+                self.assertRcodeEqual(res, dns.rcode.NOERROR)
+                self.assertEqual(res.answer, response.answer)
+
     def _getCounter(self, tcp=False):
         """
         Helper function for shared/non-shared testing

From 4455444b5626ef531e4c0b638e8380289b579bc0 Mon Sep 17 00:00:00 2001
From: Bozhan Liang <lbz@rivensbane.com>
Date: Mon, 16 Dec 2024 20:29:04 +0800
Subject: [PATCH 2/2] documentation for createReverse6

---
 docs/lua-records/functions.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/lua-records/functions.rst b/docs/lua-records/functions.rst
index 45af5dde9a4f..725471601335 100644
--- a/docs/lua-records/functions.rst
+++ b/docs/lua-records/functions.rst
@@ -384,6 +384,7 @@ Reverse DNS functions
       - ``%3%`` = 0
       - ``%4%`` = 1
   - ``%33%`` converts the compressed address format into a dashed format, e.g. ``2001:a::1`` to ``2001-a--1``
+      This format may add '0' to the result, preventing it from being identified as an illegal IDN by ``dig``.
   - ``%34%`` to ``%41%`` represent the 8 uncompressed 2-byte chunks
       - **Example:** PTR query for ``2001:a:b::123``
       - ``%34%`` - returns ``2001`` (chunk 1)