CNAME, NXDOMAIN & qname minimisation

Hauke Lampe lampe at hauke-lampe.de
Tue Aug 14 23:46:26 UTC 2018 

Hi.

I read reports about qname minimisation and SERVFAIL responses in the
list archive, but maybe this is different.

For me, the problem is NXDOMAIN responses for a CNAME query where the
CNAME itself exists but its target does not and the record is not in the
cache. Unbound version is 1.7.3.

I'm a bit unclear on what the correct response to explicit CNAME queries
should be. The queries are made by a script to find the right hostname
for dynamic updates.

On an empty cache, the query returns NXDOMAIN with the CNAME in the
answer section:

| # unbound-control flush_zone openchaos.org
| ok removed 31 rrsets, 12 messages and 4 key entries
|
| # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4
|
| ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23947
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags:; udp: 65432
| ;; QUESTION SECTION:
| ;_acme-challenge.dnsdist.openchaos.org. IN CNAME
|
| ;; ANSWER SECTION:
| _acme-challenge.dnsdist.openchaos.org. 3600 IN CNAME
dnsdist._acme-challenge.openchaos.org.
|
| ;; AUTHORITY SECTION:
| _acme-challenge.openchaos.org. 60 IN    SOA     ns2.hauke-lampe.de.
hostmaster.hauke-lampe.de. 13 86400 10800 604800 60

The _acme-challenge subdomain is unsigned, so I guess that explains the
"DNSSEC LAME" messages in the log? Why is unbound trying to follow the
CNAME, anyway?

| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <org.> 199.19.53.1#53
| unbound: query response was REFERRAL
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53
| unbound: query response was ANSWER
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 85.10.240.254#53
| unbound: query response was CNAME
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53
| unbound: query response was DNSSEC LAME
| unbound: response for openchaos.org. DNSKEY IN
| unbound: reply from <openchaos.org.> 89.18.172.35#53
| unbound: query response was ANSWER
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 2400:6180:0:d0::12:6002#53
| unbound: query response was REFERRAL
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <_acme-challenge.openchaos.org.> 85.10.240.254#53
| unbound: query response was NXDOMAIN ANSWER
| unbound: validated DS openchaos.org. DS IN
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: validated DNSKEY openchaos.org. DNSKEY IN
| unbound: validate(cname): sec_status_secure
| unbound: NSEC RRset for the referral proved no DS.
| unbound: Verified that unsigned response is INSECURE


A while later, the same query results in NOERROR (+ad flag) from the cache:

| # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4
|
| ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17071
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags:; udp: 65432
| ;; QUESTION SECTION:
| ;_acme-challenge.dnsdist.openchaos.org. IN CNAME
|
| ;; ANSWER SECTION:
| _acme-challenge.dnsdist.openchaos.org. 3426 IN CNAME
dnsdist._acme-challenge.openchaos.org.

| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: validate(positive): sec_status_secure
| unbound: validation success _acme-challenge.dnsdist.openchaos.org.
CNAME IN


With qname-minimisation disabled, the answer is always NOERROR. The log
suggests that unbound doesn't even try to follow the CNAME:

| unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: resolving org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <org.> 2001:500:40::1#53
| unbound: query response was REFERRAL
| unbound: resolving openchaos.org. DNSKEY IN
| unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN
| unbound: reply from <openchaos.org.> 85.10.240.254#53
| unbound: query response was ANSWER
| unbound: validated DS openchaos.org. DS IN
| unbound: response for openchaos.org. DNSKEY IN
| unbound: reply from <openchaos.org.> 2605:6400:2:fed5:22:0:febc:b1d0#53
| unbound: query response was ANSWER
| unbound: validated DNSKEY openchaos.org. DNSKEY IN
| unbound: validate(positive): sec_status_secure
| unbound: validation success _acme-challenge.dnsdist.openchaos.org.
CNAME IN

( BIND 9.13.2 with "qname-minimization strict" also returns NOERROR )


Hauke.

More information about the Unbound-users mailing list