<div dir="auto">My understanding is this:<div dir="auto"><br></div><div dir="auto">If a dig command is directed to a resolver with type=CNAME specified and the resolver responds with anything other than the asked for CNAME information, this may indeed be a bug. I'm not sure of the results if the CNAME target exists in cache. Another way to see similar results would be to submit a type=ANY (default) with the +norecurse switch.</div><div dir="auto"><br></div><div dir="auto">I'd be interested to see the results with the +norecurse switch on.</div><div dir="auto"><br></div><div dir="auto">Bob</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 31, 2023, 10:45 <<a href="mailto:unbound-users-request@lists.nlnetlabs.nl">unbound-users-request@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Unbound-users mailing list submissions to<br>
<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:unbound-users-request@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users-request@lists.nlnetlabs.nl</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:unbound-users-owner@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users-owner@lists.nlnetlabs.nl</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Unbound-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: unbound replaces CNAME query with A query? (Tuomo Soini)<br>
2. Re: unbound replaces CNAME query with A query? (Petr Men??k)<br>
3. Re: unbound replaces CNAME query with A query? (Tuomo Soini)<br>
4. Re: unbound replaces CNAME query with A query? (Petr Men??k)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 31 Mar 2023 15:54:05 +0300<br>
From: Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound replaces CNAME query with A query?<br>
Message-ID: <<a href="mailto:20230331155405.4a433d05@tuomo.foobar.fi" target="_blank" rel="noreferrer">20230331155405.4a433d05@tuomo.foobar.fi</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
On Fri, 31 Mar 2023 13:01:28 +0200<br>
Petr Men??k via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br>
<br>
> I am using dnssec-trigger-0.17-7.fc36.x86_64 and <br>
> unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the <br>
> behaviour, even if I flush cache by "unbound-control flush_zone ." It<br>
> is returning consistently CNAME with NOERROR. Does it happen only<br>
> when the unbound does not have forwarders and is iterating itself? I<br>
> keep getting CNAME with NOERROR.<br>
<br>
> $ kdig <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME<br>
<br>
Try the query I just listed, should work with bind dig too.<br>
If you query <a href="http://bleve.fi" rel="noreferrer noreferrer" target="_blank">bleve.fi</a> authoritative dns servers to get correct answer.<br>
<br>
cname query only fails if cname target gives NXDOMAIN.<br>
<br>
For example following query works correctly because destination of the<br>
cname exists.<br>
<br>
kdig _443._<a href="http://tcp.bleve.fi" rel="noreferrer noreferrer" target="_blank">tcp.bleve.fi</a>. cname<br>
<br>
This is obviously a bug, very special case which resolver need to<br>
handle different way than normal cname resolution. Also cloudflare,<br>
quad9, and google resolvers seem to have same problem. Seem to be<br>
special case not handled by most dns resolver.<br>
<br>
dnsmasq and bind seem to be able to handle that query correctly.<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer noreferrer" target="_blank">https://foobar.fi/</a>><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 31 Mar 2023 15:57:46 +0200<br>
From: Petr Men??k <<a href="mailto:pemensik@redhat.com" target="_blank" rel="noreferrer">pemensik@redhat.com</a>><br>
To: Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>>, <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound replaces CNAME query with A query?<br>
Message-ID: <<a href="mailto:2d8300c7-16a7-132c-bb68-b682c04fc06d@redhat.com" target="_blank" rel="noreferrer">2d8300c7-16a7-132c-bb68-b682c04fc06d@redhat.com</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
On 3/31/23 14:54, Tuomo Soini wrote:<br>
> On Fri, 31 Mar 2023 13:01:28 +0200<br>
> Petr Men??k via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br>
><br>
>> I am using dnssec-trigger-0.17-7.fc36.x86_64 and<br>
>> unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the<br>
>> behaviour, even if I flush cache by "unbound-control flush_zone ." It<br>
>> is returning consistently CNAME with NOERROR. Does it happen only<br>
>> when the unbound does not have forwarders and is iterating itself? I<br>
>> keep getting CNAME with NOERROR.<br>
> > $ kdig <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME<br>
><br>
> Try the query I just listed, should work with bind dig too.<br>
> If you query <a href="http://bleve.fi" rel="noreferrer noreferrer" target="_blank">bleve.fi</a> authoritative dns servers to get correct answer.<br>
><br>
> cname query only fails if cname target gives NXDOMAIN.<br>
<br>
I have tried on my unbound and it never returns NXDOMAIN to me. The <br>
result is the same with kdig or dig, that makes no difference. I get <br>
NOERROR, not NXDOMAIN.<br>
<br>
$ kdig <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME | head -2<br>
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718<br>
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0<br>
<br>
> For example following query works correctly because destination of the<br>
> cname exists.<br>
><br>
> kdig _443._<a href="http://tcp.bleve.fi" rel="noreferrer noreferrer" target="_blank">tcp.bleve.fi</a>. cname<br>
><br>
> This is obviously a bug, very special case which resolver need to<br>
> handle different way than normal cname resolution. Also cloudflare,<br>
> quad9, and google resolvers seem to have same problem. Seem to be<br>
> special case not handled by most dns resolver.<br>
><br>
> dnsmasq and bind seem to be able to handle that query correctly.<br>
<br>
dnsmasq does not handle CNAMEs at all. It requires upstream recursive <br>
server to do the job and just passes the result to a client. bind can to <br>
proper iteration job from root hints however.<br>
<br>
If it is a bug, I would suggest creating issue at <br>
<a href="https://github.com/NLnetLabs/unbound/" rel="noreferrer noreferrer" target="_blank">https://github.com/NLnetLabs/unbound/</a><br>
<br>
But maybe more precise steps should be described when it returns <br>
NXDOMAIN. Just flushing the cache and doing your query does not seem to <br>
be enough for me.<br>
<br>
-- <br>
Petr Men??k<br>
Software Engineer, RHEL<br>
Red Hat, <a href="https://www.redhat.com/" rel="noreferrer noreferrer" target="_blank">https://www.redhat.com/</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 31 Mar 2023 17:09:40 +0300<br>
From: Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>><br>
To: Petr Men??k <<a href="mailto:pemensik@redhat.com" target="_blank" rel="noreferrer">pemensik@redhat.com</a>><br>
Cc: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound replaces CNAME query with A query?<br>
Message-ID: <<a href="mailto:20230331170940.6e3d8a7f@tuomo.foobar.fi" target="_blank" rel="noreferrer">20230331170940.6e3d8a7f@tuomo.foobar.fi</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
On Fri, 31 Mar 2023 15:57:46 +0200<br>
Petr Men??k <<a href="mailto:pemensik@redhat.com" target="_blank" rel="noreferrer">pemensik@redhat.com</a>> wrote:<br>
<br>
> > cname query only fails if cname target gives NXDOMAIN. <br>
> <br>
> I have tried on my unbound and it never returns NXDOMAIN to me. The <br>
> result is the same with kdig or dig, that makes no difference. I get <br>
> NOERROR, not NXDOMAIN.<br>
<br>
All unbounds here without forwarders set up, is that the difference?<br>
<br>
> <br>
> $ kdig <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME | head -2<br>
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718<br>
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:<br>
> 0<br>
> <br>
> > For example following query works correctly because destination of<br>
> > the cname exists.<br>
> ><br>
> > kdig _443._<a href="http://tcp.bleve.fi" rel="noreferrer noreferrer" target="_blank">tcp.bleve.fi</a>. cname<br>
> ><br>
> > This is obviously a bug, very special case which resolver need to<br>
> > handle different way than normal cname resolution. Also cloudflare,<br>
> > quad9, and google resolvers seem to have same problem. Seem to be<br>
> > special case not handled by most dns resolver.<br>
> ><br>
> > dnsmasq and bind seem to be able to handle that query correctly. <br>
> <br>
> dnsmasq does not handle CNAMEs at all. It requires upstream recursive <br>
> server to do the job and just passes the result to a client. bind can<br>
> to proper iteration job from root hints however.<br>
> <br>
> If it is a bug, I would suggest creating issue at <br>
> <a href="https://github.com/NLnetLabs/unbound/" rel="noreferrer noreferrer" target="_blank">https://github.com/NLnetLabs/unbound/</a><br>
> <br>
> But maybe more precise steps should be described when it returns <br>
> NXDOMAIN. Just flushing the cache and doing your query does not seem<br>
> to be enough for me.<br>
> <br>
<br>
<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer noreferrer" target="_blank">https://foobar.fi/</a>><br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Fri, 31 Mar 2023 16:45:15 +0200<br>
From: Petr Men??k <<a href="mailto:pemensik@redhat.com" target="_blank" rel="noreferrer">pemensik@redhat.com</a>><br>
To: Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank" rel="noreferrer">tis@foobar.fi</a>><br>
Cc: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound replaces CNAME query with A query?<br>
Message-ID: <<a href="mailto:9935b00c-dd09-5d3c-dd13-7e202971f535@redhat.com" target="_blank" rel="noreferrer">9935b00c-dd09-5d3c-dd13-7e202971f535@redhat.com</a>><br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
<br>
On 3/31/23 16:09, Tuomo Soini wrote:<br>
> On Fri, 31 Mar 2023 15:57:46 +0200<br>
> Petr Men??k <<a href="mailto:pemensik@redhat.com" target="_blank" rel="noreferrer">pemensik@redhat.com</a>> wrote:<br>
><br>
><br>
> I have tried on my unbound and it never returns NXDOMAIN to me. The<br>
> result is the same with kdig or dig, that makes no difference. I get<br>
> NOERROR, not NXDOMAIN.<br>
> All unbounds here without forwarders set up, is that the difference?<br>
<br>
I have tried it inside a Rawhide container.<br>
<br>
# unbound-control forward<br>
off (using root hints)<br>
<br>
# dig @localhost <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME<br>
<br>
; <<>> DiG 9.18.13 <<>> @localhost <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME<br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55072<br>
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
;; QUESTION SECTION:<br>
;cnametest.bleve.fi.??? ??? IN??? CNAME<br>
<br>
;; ANSWER SECTION:<br>
cnametest.bleve.fi.??? 7118??? IN??? CNAME??? <a href="http://nxdomain.foobar.fi" rel="noreferrer noreferrer" target="_blank">nxdomain.foobar.fi</a>.<br>
<br>
;; Query time: 0 msec<br>
;; SERVER: ::1#53(localhost) (UDP)<br>
;; WHEN: Fri Mar 31 16:20:26 CEST 2023<br>
;; MSG SIZE? rcvd: 77<br>
<br>
<br>
Just after fresh restart, it is NOERROR. As it is later. Indeed, the <br>
query unbound sends to <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a> is A? query. But the response <br>
delivered to dig is a correct one. Tested with unbound-1.17.1-2.fc38.x86_64.<br>
<br>
Frame 641: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on <br>
interface virbr0, id 0<br>
Ethernet II, Src: 7e:85:92:43:88:71 (7e:85:92:43:88:71), Dst: <br>
RealtekU_02:bd:85 (52:54:00:02:bd:85)<br>
Internet Protocol Version 4, Src: 192.168.122.184, Dst: 87.239.120.11<br>
User Datagram Protocol, Src Port: 46986, Dst Port: 53<br>
Domain Name System (query)<br>
??? Transaction ID: 0x4302<br>
??? Flags: 0x0010 Standard query<br>
??? Questions: 1<br>
??? Answer RRs: 0<br>
??? Authority RRs: 0<br>
??? Additional RRs: 1<br>
??? Queries<br>
??????? <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>: type A, class IN<br>
??? Additional records<br>
??? [Response In: 719]<br>
<br>
It responds to it with nameservers of <a href="http://bleve.fi" rel="noreferrer noreferrer" target="_blank">bleve.fi</a>. But to those servers it <br>
already sends CNAME query, not A? Attaching my pcap.<br>
<br>
When I did dig @localhost ns <a href="http://bleve.fi" rel="noreferrer noreferrer" target="_blank">bleve.fi</a>. before cnametest, it returned <br>
SERVFAIL the first time. Only then it responded with NOERROR. So no, I <br>
do not know how to get NXDOMAIN response from unbound. I get similar <br>
results for the original query.<br>
<br>
>> $ kdig <a href="http://cnametest.bleve.fi" rel="noreferrer noreferrer" target="_blank">cnametest.bleve.fi</a>. CNAME | head -2<br>
>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718<br>
>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:<br>
>> 0<br>
>><br>
>> dnsmasq does not handle CNAMEs at all. It requires upstream recursive<br>
>> server to do the job and just passes the result to a client. bind can<br>
>> to proper iteration job from root hints however.<br>
>><br>
>> If it is a bug, I would suggest creating issue at<br>
>> <a href="https://github.com/NLnetLabs/unbound/" rel="noreferrer noreferrer" target="_blank">https://github.com/NLnetLabs/unbound/</a><br>
>><br>
>> But maybe more precise steps should be described when it returns<br>
>> NXDOMAIN. Just flushing the cache and doing your query does not seem<br>
>> to be enough for me.<br>
<br>
-- <br>
Petr Men??k<br>
Software Engineer, RHEL<br>
Red Hat, <a href="https://www.redhat.com/" rel="noreferrer noreferrer" target="_blank">https://www.redhat.com/</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: cnametest-bleve.fi-filtered.pcapng<br>
Type: application/x-pcapng<br>
Size: 6764 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230331/9844401b/attachment.bin" rel="noreferrer noreferrer" target="_blank">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230331/9844401b/attachment.bin</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">Unbound-users@lists.nlnetlabs.nl</a><br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Unbound-users Digest, Vol 39, Issue 12<br>
*********************************************<br>
</blockquote></div>