[nsd-users] NSD incorrectly logging DNAME as refused?

Willem Toorop willem at nlnetlabs.nl
Wed Jul 3 08:52:38 UTC 2024 

Hi Jamie,

I can reproduce, but only if the target zone of the DNAME (or CNAME 
which behaves the same) matches a zone with an allow-query option that 
doesn't match the querier.

For example with the following config in nsd.conf:

zone:
     name: "."
     allow-query: 0::/128 NOKEY

zone:
     name: "example"
     zonefile: "example"

and an example zone that contains `nsdtest.example. CNAME 
hello.example.com.`, then indeed a query for `nsdtest.example.` gives 
the correct CNAME answer, but a "info: query nsdtest.example. from 
127.0.0.1 refused, no acl matches" message is logged. NSD logs the error 
trying to add more records while following the CNAME, but the checked 
target CNAME domain has an acl forbidding this for the querier.

Do you have a similar situation?

Should an error be logged when CNAME targets match a zone with an 
allow-query list that doesn't match?

-- Willem

Op 03-07-2024 om 04:12 schreef Jamie Landeg-Jones via nsd-users:
> I just noticed this with NSD 4.10.0 (and earlier versions - it's not a
> new regression))
>
> I have nsd set to log refused requests to syslog.
>
> After adding a DNAME type into my dns for one sub-zone that is being moved,
> I noticed that legitimate requests for hosts under that subdomain are working
> as expected, howerver they are being logged as refused.
>
> As a quick replicable test, I just did this to demostrate the issue.
>
> Firatlt, add edthis to my dyslexicfish.net domain:
>
> nsdtest IN DNAME hello.example.com.
>
> Then, update serial, reload, watch it propagate to secondaries etc., then
> from a machine with no specific acls (i.e. not from one of the primaries
> or secondaries:
>
>   | # dig sjsjqju2qu.nsdtest.dyslexicfish.net.
>   |
>   | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net.
>   | ;; global options: +cmd
>   | ;; Got answer:
>   | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148
>   | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>   |
>   | ;; OPT PSEUDOSECTION:
>   | ; EDNS: version: 0, flags:; udp: 1232
>   | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good)
>   | ;; QUESTION SECTION:
>   | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN        A
>   |
>   | ;; ANSWER SECTION:
>   | nsdtest.dyslexicfish.net. 86363 IN      DNAME   hello.example.com.
>   | sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME sjsjqju2qu.hello.example.com.
>   |
>   | ;; AUTHORITY SECTION:
>   | example.com.            3600    IN      SOA     ns.icann.org. noc.dns.icann.org. 2024041842 7200 3600 1209600 3600
>   |
>   | ;; Query time: 30 msec
>   | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP)
>   | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024
>   | ;; MSG SIZE  rcvd: 213
>
> This produces this via syslog on the nsd serversx:
>
>   | Jul  3 02:46:43 <daemon.info> catnip nsd[3620]: query sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .
>
> As can be seen from "dig", the result is valid, and everything works as
> suspected, I'm just getting rather a lot of those "refused" messages, as
> the domain gets a lot of traffic!
>
> I know I can disable the logging of such messages, but I do want to log
> then when they are legitimate!
>
> (Obviously I first noticed this on a valid DNAME target zone of mine
> I just used 'hello.example.com' in the above demonstration to show that
> it's nothing weird going on with my setup - delegating to any domain that
> the nsd server itself doesn't serve causes the issue)
>
> Any ideas? And apologies for any late-night incoherencies in this message!
>
> Cheers, Jamie
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Type: application/pgp-keys
Size: 7749 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/2a57341e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/2a57341e/attachment-0001.bin>

More information about the nsd-users mailing list