[Unbound-users] Unbound rejects queries with unknown data in additional section

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Jan 11 10:16:33 UTC 2013

Hash: SHA1

Hi Alexander,

On 01/11/2013 10:31 AM, Alexander E. Patrakov wrote:
> 2013/1/11 W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
>> On 01/11/2013 08:37 AM, Alexander E. Patrakov wrote:
>>> I found a difference in behaviour between Unbound and BIND.
>>> Could you please explain if this is intentional?
>> Yes this was intentional.  It is copied from NSD.  It rejects a
>> query that has unknown components, because the server does not
>> support this sort of query.  FORMERR, because this rcode means
>> there was something wrong with the query.
> OK, I see.
>> Is there some reason you want this?
> My company develops parental control software. One of its functions
> is to redirect all DNS queries originating from the user's computer
> to our DNS servers, adding a record to the additional section for
> user tracking purposes.

This is not going to work, even if I fix unbound to be more lenient.
It is not going to be compatible with other software, in general.

> Now imagine what happens if a user with our software connects e.g.
> to a network where an administrator redirects all DNS queries to
> his own nameservers running unbound (and there are valid legal
> reasons why this redirection is necessary in a number of cases).
> Now all users of our software get FORMERRs. Well, the software
> fails closed, but some would prefer it to fail open.

You send malformed queries, it is normal to get error responses.  That
said, thank you for reporting that you need more lenience.

> And here is why I have chosen the additional section as the place
> for the user-tracking record: IETF did the same >10 years ago when
> the OPT record was standardized. They trusted the implementors of
> DNS servers to ignore stuff in the additional section that they
> don't understand (see
> http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS). And now
> unbound wastes this trust.

Your reference to wikipedia does not say that DNS servers ignore stuff
in the additional section, and that is why EDNS must be backwards
compatible (does not reply with EDNS OPT unless used in the query).
EDNS is defined in RFC 2671.  This RFC says that it is accepted
behaviour to signal non-support for a query with OPT with a FORMERR
response and that this behaviour is supposed to be handled by
requestors.  I was not around in the IETF at the time of the EDNS OPT
standardization, but they certainly did not count on servers ignoring
the OPT record.

The upcoming update of EDNS does not improve here, servers are
expected to behave even worse in the face of the additional OPT
record.  But, it does specify the future compatibility more (I believe).

> So in fact that's a general case of the "be liberal in what you 
> accept" rule. Yes, my software also has a bug that it does not
> retry without that user-tracking additional record on a FORMERR.

But you are correct that lenience is very important.  We strive for
that.  But I am unsure if my fix of unbound would help you, or if it
is a good idea to do so.  If that would help future compatibility to
ignore additional stuff.  Or if FORMERR is a better response to
indicate the query is malformed with additional stuff.

Best regards,

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the Unbound-users mailing list