From f6c44e3f7a75328ec07764a010813ba30a201028 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 9 Dec 2024 18:29:40 +0100
Subject: [PATCH] DNS/dns_binds_rr: Fix complte to complete typo, switch to
 count

From my reading in the docs the complete_flag should only ever be a
single byte, so add a weird for when it is longer, but use count
as the new type.
---
 scripts/base/init-bare.zeek                   |  3 +-
 src/analyzer/protocol/dns/DNS.cc              | 11 ++++++-
 .../scripts.base.protocols.dns.binds/output   | 32 +++++++++----------
 3 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index ca57925603..ab337d3591 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4247,8 +4247,9 @@ type dns_binds_rr: record {
 	algorithm: count;	##< Algorithm for Public Key.
 	key_id: count;		##< key tag.
 	removal_flag: count;	##< rm flag.
-	complte_flag: string;	##< complete flag.
+	complte_flag: string &deprecated="Remove in v8.1: Use complete_flag instead.";	##< complete flag.
 	is_query: count;	##< The RR is a query/Response.
+	complete_flag: count;	##< complete flag.
 };
 
 ## A Private RR type LOC record.
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index f317a33599..12b30f22b5 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1262,6 +1262,14 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
 
     String* completeflag = ExtractStream(data, len, rdlength - 4);
 
+    // We exposed the complete flag as a string to script land previously,
+    // but there should only ever be a single byte, so raise a weird if
+    // it is longer than that.
+    //
+    // https://bind9.readthedocs.io/en/latest/chapter5.html#monitoring-with-private-type-records
+    if ( completeflag->Len() > 1 )
+        analyzer->Weird("DNS_BINDS_complete_flag_length", util::fmt("%d", completeflag->Len()));
+
     if ( dns_BINDS ) {
         detail::BINDS_DATA binds;
         binds.algorithm = algo;
@@ -1855,8 +1863,9 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds) {
     r->Assign(2, binds->algorithm);
     r->Assign(3, binds->key_id);
     r->Assign(4, binds->removal_flag);
-    r->Assign(5, binds->complete_flag);
+    r->Assign(5, binds->complete_flag); // Remove in v8.1: Move field 7 here. Drop String* usage.
     r->Assign(6, is_query);
+    r->Assign(7, binds->complete_flag->Len() > 0 ? binds->complete_flag->Bytes()[0] : 0);
 
     return r;
 }
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.binds/output b/testing/btest/Baseline/scripts.base.protocols.dns.binds/output
index 9e60009463..f35defd7a7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.binds/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.binds/output
@@ -1,17 +1,17 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=32018, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=2196, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=12994, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=23868, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=37611, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=9551, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=48254, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=33130, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=15141, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=41675, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=63711, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=65395, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=31400, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=60289, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=31000, removal_flag=0, complte_flag=\x01, is_query=0]
-BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=40187, removal_flag=0, complte_flag=\x01, is_query=0]
+BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=32018, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=2196, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=12994, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=23868, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=37611, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=9551, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=48254, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=33130, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=15141, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=41675, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=63711, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=65395, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=31400, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=60289, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=31000, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
+BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=40187, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]