CNAME, NXDOMAIN & qname minimisation
Hauke Lampe
lampe at hauke-lampe.de
Tue Aug 14 23:46:26 UTC 2018
Hi.
I read reports about qname minimisation and SERVFAIL responses in the
list archive, but maybe this is different.
For me, the problem is NXDOMAIN responses for a CNAME query where the
CNAME itself exists but its target does not and the record is not in the
cache. Unbound version is 1.7.3.
I'm a bit unclear on what the correct response to explicit CNAME queries
should be. The queries are made by a script to find the right hostname
for dynamic updates.
On an empty cache, the query returns NXDOMAIN with the CNAME in the
answer section:
| # unbound-control flush_zone openchaos.org
| ok removed 31 rrsets, 12 messages and 4 key entries
|
| # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4
|
| ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23947
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags:; udp: 65432
| ;; QUESTION SECTION:
| ;_acme-challenge.dnsdist.openchaos.org. IN CNAME
|
| ;; ANSWER SECTION:
| _acme-challenge.dnsdist.openchaos.org. 3600 IN CNAME
dnsdist._acme-challenge.openchaos.org.
|
| ;; AUTHORITY SECTION:
| _acme-challenge.openchaos.org. 60 IN SOA ns2.hauke-lampe.de.
hostmaster.hauke-lampe.de. 13 86400 10800 604800 60
The _acme-challenge subdomain is unsigned, so I guess that explains the
"DNSSEC LAME" messages in the log? Why is unbound trying to follow the
CNAME, anyway?
| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <org.> 199.19.53.1#53
| unbound: query response was REFERRAL
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53
| unbound: query response was ANSWER
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 85.10.240.254#53
| unbound: query response was CNAME
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53
| unbound: query response was DNSSEC LAME
| unbound: response for openchaos.org. DNSKEY IN
| unbound: reply from <openchaos.org.> 89.18.172.35#53
| unbound: query response was ANSWER
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2400:6180:0:d0::12:6002#53
| unbound: query response was REFERRAL
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <_acme-challenge.openchaos.org.> 85.10.240.254#53
| unbound: query response was NXDOMAIN ANSWER
| unbound: validated DS openchaos.org. DS IN
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: validated DNSKEY openchaos.org. DNSKEY IN
| unbound: validate(cname): sec_status_secure
| unbound: NSEC RRset for the referral proved no DS.
| unbound: Verified that unsigned response is INSECURE
A while later, the same query results in NOERROR (+ad flag) from the cache:
| # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4
|
| ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17071
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags:; udp: 65432
| ;; QUESTION SECTION:
| ;_acme-challenge.dnsdist.openchaos.org. IN CNAME
|
| ;; ANSWER SECTION:
| _acme-challenge.dnsdist.openchaos.org. 3426 IN CNAME
dnsdist._acme-challenge.openchaos.org.
| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: validate(positive): sec_status_secure
| unbound: validation success _acme-challenge.dnsdist.openchaos.org.
CNAME IN
With qname-minimisation disabled, the answer is always NOERROR. The log
suggests that unbound doesn't even try to follow the CNAME:
| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <org.> 2001:500:40::1#53
| unbound: query response was REFERRAL
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 85.10.240.254#53
| unbound: query response was ANSWER
| unbound: validated DS openchaos.org. DS IN
| unbound: response for openchaos.org. DNSKEY IN
| unbound: reply from <openchaos.org.> 2605:6400:2:fed5:22:0:febc:b1d0#53
| unbound: query response was ANSWER
| unbound: validated DNSKEY openchaos.org. DNSKEY IN
| unbound: validate(positive): sec_status_secure
| unbound: validation success _acme-challenge.dnsdist.openchaos.org.
CNAME IN
( BIND 9.13.2 with "qname-minimization strict" also returns NOERROR )
Hauke.
More information about the Unbound-users
mailing list