1.7.3: capsforid fallback response confusion
Ralph Dolmans
ralph at nlnetlabs.nl
Wed Aug 8 13:16:30 UTC 2018
Hi Alex,
QNAME minimisation was indeed not taken into consideration in the
caps-for-id fallback code. I committed a fix that should make it work.
Thanks,
-- Ralph
On 31-07-18 08:22, Alex Zorin via Unbound-users wrote:
> Hi,
>
> Came across the curious case of a domain that appears to cause Unbound to compare responses of different qtypes in process_response during caps-for-id fallback.
>
> This can be reproduced with Unbound 1.7.3 with qname-minimization (strict), and use-caps-for-id.
>
> $ unbound-host git.shifudao.com -t caa -v -C /usr/local/etc/unbound/unbound.conf -d -4
>
> Adding some logging within this scope: https://github.com/NLnetLabs/unbound/blob/8aa53f027d125a586796caeee2829ec8a18dd020/iterator/iterator.c#L3547
>
> log_dns_msg("response response->rep:", &iq->response->qinfo, iq->response->rep);
> log_dns_msg("response caps_reply:", &iq->response->qinfo, iq->caps_reply);
>
>
> shows to what appears to be Unbound comparing a CAA response (iq->response->rep) to an unrelated A response (iq->caps_reply) that appears to be involved due to qname-minimization.
>
> Since the two responses differ in their answer/authority, caps-for-id fallback fails and this results in a SERVFAIL.
>
> Output from working caps-for-id fallback: https://id-rsa.pub/good
> Output from failing caps-for-id fallback: https://id-rsa.pub/bad
>
> Any guidance?
>
> Thank you
>
> Alex
>
More information about the Unbound-users
mailing list