[Unbound-users] Unbound accepts Authority records with a wrong zone cut. Too lax?
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Wed Jul 18 08:37:59 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Stephane,
On 07/18/2012 10:19 AM, Stephane Bortzmeyer wrote:
> Today, we experienced the problem described in
> <http://fanf.livejournal.com/107721.html>. BIND cannot query CNAME
> ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service:
>
> # BIND % dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com
>
> ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME
> ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
> 35315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME
>
> ;; Query time: 656 msec ;; SERVER:
> 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20) ;; WHEN: Wed
> Jul 18 09:21:27 2012 ;; MSG SIZE rcvd: 49
>
> # Unbound % dig @2001:4f8:3:2bc:1::64:21 CNAME
> ns1.webhosting24.com
>
> ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME
> ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
> 43630 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME
>
> ;; Query time: 492 msec ;; SERVER:
> 2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21) ;; WHEN: Wed
> Jul 18 09:21:31 2012 ;; MSG SIZE rcvd: 49
>
> I suspect that Unbound may be too lax since the answer is indeed
> incorrect. ns1.webhosting24.com is delegated but the name servers
> reply with an Authority which indicates a zone cut at
> webhosting24.com. It seems BIND is right to reject it and Unbound
> is wrong?
Unbound rejects the authority records from this message. Then looks
at the resulting message and thinks that this looks like a
NOERROR/NODATA answer, which it returns to the client.
So, unbound rejects the authority zone cut, but does not turn that
into a servfail because it thinks it can understand the message with
that RR removed.
Best regards,
Wouter
> % dig @217.70.144.111 CNAME ns1.webhosting24.com
>
> ; <<>> DiG 9.7.3 <<>> @217.70.144.111 CNAME ns1.webhosting24.com ;
> (1 server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17571 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING:
> recursion requested but not available
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME
>
> ;; AUTHORITY SECTION: webhosting24.com. 86400 IN SOA
> ns1.webhosting24.com. hostmaster.webhosting24.com. 2012071800 86400
> 3600 604800 86400
>
> ;; Query time: 23 msec ;; SERVER:
> 217.70.144.111#53(217.70.144.111) ;; WHEN: Wed Jul 18 10:18:46
> 2012 ;; MSG SIZE rcvd: 96
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJQBnXnAAoJEJ9vHC1+BF+Nww8P+gPv0waszyatAfZMWvbl0+5+
BaEq15XrDeZjQla3eY29Uh9zTUwPBW3aY99JscMttD9igR79Nl4e6eLB8vLsXnGz
W3pp0T58P6lKhIbg4zFkEoFzBPKx5KhaIeA8pcMuz0E8uD0fAINsyxOE5gFwsfB0
rq2FrrjYPBTyxJJ8VPA/cmX2q7pNqD0fJFit6m9xw6jK4q8+v+MIK6zevtqJVfIl
skP31yNDPOpggkfcuEoF7TC7GJeOLmXR2sM3gIiiogm+APq04wmLp8SqVGM8RYQM
Aycd6M4oXSzTZ6KM24/ogWgzjDm3dQegYfSKbYEw8/8ZwDSvBunD371K4BH4Zvl4
yxvnrONsH99ccAOaM6LNqGAaiPdtJEoV39mC56w98LCrqYoIiVh+d7pVxI1IZPHa
W1OPweKrV655/wbPLp6P728YuoO6JXXPi60Xt3BGvZwDd9ut+2btymhC+dI5S//v
vl/QL15jpnHJOVmI1EcC3Rukonznx5olxeZk7w6HL5lyHqvCGFuZB/0L6qQUFMun
2d7ommP98KtrxzWFsZVPq45festj4E0UEGmz0OMDuub6KylLmrpRn3NnM+FGocw+
P3kAjAgRkl5UPwxXPbX90JOkGH6ADWmk+EmGDYv4KN86o6HGEuSzXUX4A78solKV
B5HlP2ydTXOPQ4osbTif
=lJCG
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list