1.7.3: capsforid fallback response confusion

Ralph Dolmans ralph at nlnetlabs.nl
Wed Aug 8 13:16:30 UTC 2018


Hi Alex,

QNAME minimisation was indeed not taken into consideration in the
caps-for-id fallback code. I committed a fix that should make it work.

Thanks,
-- Ralph

On 31-07-18 08:22, Alex Zorin via Unbound-users wrote:
> Hi,
> 
> Came across the curious case of a domain that appears to cause Unbound to compare responses of different qtypes in process_response during caps-for-id fallback.
> 
> This can be reproduced with Unbound 1.7.3 with qname-minimization (strict), and use-caps-for-id. 
> 
> $ unbound-host git.shifudao.com -t caa -v -C /usr/local/etc/unbound/unbound.conf -d -4 
> 
> Adding some logging within this scope: https://github.com/NLnetLabs/unbound/blob/8aa53f027d125a586796caeee2829ec8a18dd020/iterator/iterator.c#L3547
> 
>                         log_dns_msg("response response->rep:", &iq->response->qinfo, iq->response->rep);
>                         log_dns_msg("response caps_reply:", &iq->response->qinfo, iq->caps_reply);
> 
> 
> shows to what appears to be Unbound comparing a CAA response (iq->response->rep) to an unrelated A response (iq->caps_reply) that appears to be involved due to qname-minimization.
> 
> Since the two responses differ in their answer/authority, caps-for-id fallback fails and this results in a SERVFAIL.
> 
> Output from working caps-for-id fallback: https://id-rsa.pub/good
> Output from failing caps-for-id fallback: https://id-rsa.pub/bad
> 
> Any guidance?
> 
> Thank you
> 
> Alex
> 



More information about the Unbound-users mailing list