unbound replaces CNAME query with A query?

Petr Menšík pemensik at redhat.com
Thu Mar 30 18:52:08 UTC 2023 

Correct me if I understand it not correctly. whether you query CNAME or 
A record should not make a difference in NXDOMAIN status. But in any 
case the answer is not there. How does it change ACME process when there 
is NXDOMAIN and not just no-answer NOERROR response?

_acme-challenge.bender-doh.applied-privacy.net exists with cname. Its 
cname target returns NXDOMAIN. So yes, it is a bit confusing what is the 
final result. What exactly is the stub in this case? libresolv library? 
getaddrinfo() cannot query cname itself, it can do that via A query however.

What is the point of querying just CNAME? Does it have a specific reason?

Unbound seems proactive to fetch actually useful record instead of just 
intermediate CNAME. I am not sure that has to be strictly wrong. The 
result it delivers is similar. It tells there is CNAME and its target 
does not exist. It just seem the stub does not check actual contents of 
message except rcode. Can stub resolver do anything useful with 
information that there is CNAME not leading to final destination?

Note: it would be much easier if you could share just pcap containing 
the problem instead of only text description.

On 3/26/23 18:29, Christoph via Unbound-users wrote:
> Hi,
>
> we are tracking/debugging [1][2] an issue that results in the failure of
> certificate renewal (ACME DNS challenge).
>
> If you ask unbound 1.17.1 the query shown below when it has an empty 
> cache you get an NXDOAMIN reply, if you ask it again you will get the 
> actual expected answer (NOERROR), PowerDNS Recursor does not have that 
> issue.
>
> Investigating the DNS traffic has also shown that
> the stub -> unbound CNAME query results in an unbound -> authoritative 
> A qtype query instead of a CNAME query.
>
> Can you reproduce this issue and confirm this is unexpected?
>
> thanks!
> Christoph
>
>
> dig _acme-challenge.bender-doh.applied-privacy.net CNAME
>
> ; <<>> DiG 9.18.13 <<>> _acme-challenge.bender-doh.applied-privacy.net 
> CNAME
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20502
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;_acme-challenge.bender-doh.applied-privacy.net.    IN CNAME
>
> ;; ANSWER SECTION:
> _acme-challenge.bender-doh.applied-privacy.net.    86400 IN CNAME 
> bender-doh.acme-dns-challenge.applied-privacy.net.
>
> ;; AUTHORITY SECTION:
> acme-dns-challenge.applied-privacy.net.    300 IN SOA get.desec.io. 
> get.desec.io. 2023035286 86400 3600 2419200 3600
>
> ;; Query time: 114 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; MSG SIZE  rcvd: 167
>
>
> #############################
> query (stub -> recursor):
> #############################
>
> Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
> Domain Name System (query)
>     Transaction ID: 0x5016
>     Flags: 0x0120 Standard query
>     Questions: 1
>     Answer RRs: 0
>     Authority RRs: 0
>     Additional RRs: 1
>     Queries
>         _acme-challenge.bender-doh.applied-privacy.net: type CNAME, 
> class IN
>             Name: _acme-challenge.bender-doh.applied-privacy.net
>             [Name Length: 46]
>             [Label Count: 4]
>             Type: CNAME (Canonical NAME for an alias) (5)
>             Class: IN (0x0001)
>     Additional records
>
>
> #############################
> response (unbound -> stub)
> #############################
>
> Domain Name System (response)
>     Transaction ID: 0x5016
>     Flags: 0x81a3 Standard query response, No such name
>     Questions: 1
>     Answer RRs: 1
>     Authority RRs: 1
>     Additional RRs: 1
>     Queries
>         _acme-challenge.bender-doh.applied-privacy.net: type CNAME, 
> class IN
>             Name: _acme-challenge.bender-doh.applied-privacy.net
>             [Name Length: 46]
>             [Label Count: 4]
>             Type: CNAME (Canonical NAME for an alias) (5)
>             Class: IN (0x0001)
>     Answers
>     Authoritative nameservers
>     Additional records
>
>
> #############################
> query: unbound -> authoritive  qtype: A? (instead of CNAME)
> #############################
>
> Internet Protocol Version 6, Dst: 2607:f740:e633:deec::2
> User Datagram Protocol, Src Port: 37183, Dst Port: 53
> Domain Name System (query)
>     Transaction ID: 0x46ba
>     Flags: 0x0010 Standard query
>     Questions: 1
>     Answer RRs: 0
>     Authority RRs: 0
>     Additional RRs: 1
>     Queries
>       _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
>             Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
>             [Name Length: 46]
>             [Label Count: 4]
>             Type: A (Host Address) (1) <<<<<<<<<
>             Class: IN (0x0001)
>     Additional records
>     [Response In: 2688]
>
>
> #############################
> query: authoritive -> unbound
> #############################
>
> Domain Name System (response)
>     Transaction ID: 0x46ba
>     Flags: 0x8403 Standard query response, No such name
>     Questions: 1
>     Answer RRs: 2
>     Authority RRs: 6
>     Additional RRs: 1
>     Queries
>         _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
>             Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
>             [Name Length: 46]
>             [Label Count: 4]
>             Type: A (Host Address) (1)
>             Class: IN (0x0001)
>     Answers
>         _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type CNAME, 
> class IN, cname bender-doh.acme-dns-challenge.apPLIED-privacY.neT
>             Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
>             Type: CNAME (Canonical NAME for an alias) (5)
>             Class: IN (0x0001)
>             Time to live: 86400 (1 day)
>             Data length: 32
>             CNAME: bender-doh.acme-dns-challenge.apPLIED-privacY.neT
>         _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type RRSIG, 
> class IN
>             Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
>             Type: RRSIG (Resource Record Signature) (46)
>             Class: IN (0x0001)
>             Time to live: 86400 (1 day)
>             Data length: 103
>             Type Covered: CNAME (Canonical NAME for an alias) (5)
>             Algorithm: ECDSA Curve P-256 with SHA-256 (13)
>             Labels: 4
>             Original TTL: 86400 (1 day)
>             Signature Expiration: Apr  6, 2023 02:00:00.000000000 CEST
>             Signature Inception: Mar 16, 2023 01:00:00.000000000 CET
>             Key Tag: 38828
>             Signer's name: applied-privacy.net
>             Signature: 
> 6ccde8920251717107ff82cbe6edbeda2723c8604f42d6914af643c2a84f5489db8e6972…
>     Authoritative nameservers
>     Additional records
>
>
> ################################
> same query to a PowerDNS Recursor
> results in the expected NOERROR
> ################################
>
> dig @109.70.100.136 _acme-challenge.bender-doh.applied-privacy.net CNAME
>
> ; <<>> DiG 9.18.13 <<>> @109.70.100.136 
> _acme-challenge.bender-doh.applied-privacy.net CNAME
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51569
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;_acme-challenge.bender-doh.applied-privacy.net.    IN CNAME
>
> ;; ANSWER SECTION:
> _acme-challenge.bender-doh.applied-privacy.net.    86400 IN CNAME 
> bender-doh.acme-dns-challenge.applied-privacy.net.
>
> ;; Query time: 40 msec
> ;; SERVER: 109.70.100.136#53(109.70.100.136) (UDP)
> ;; MSG SIZE  rcvd: 119
>
>
> [1] 
> https://mailman.powerdns.com/pipermail/pdns-users/2023-March/028156.html
> [2] https://github.com/go-acme/lego/issues/1739
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list