unbound replaces CNAME query with A query?

Petr Menšík pemensik at redhat.com
Fri Mar 31 14:45:15 UTC 2023 

On 3/31/23 16:09, Tuomo Soini wrote:
> On Fri, 31 Mar 2023 15:57:46 +0200
> Petr Menšík <pemensik at redhat.com> wrote:
>
>
> I have tried on my unbound and it never returns NXDOMAIN to me. The
> result is the same with kdig or dig, that makes no difference. I get
> NOERROR, not NXDOMAIN.
> All unbounds here without forwarders set up, is that the difference?

I have tried it inside a Rawhide container.

# unbound-control forward
off (using root hints)

# dig @localhost cnametest.bleve.fi. CNAME

; <<>> DiG 9.18.13 <<>> @localhost cnametest.bleve.fi. CNAME
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55072
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cnametest.bleve.fi.        IN    CNAME

;; ANSWER SECTION:
cnametest.bleve.fi.    7118    IN    CNAME    nxdomain.foobar.fi.

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Fri Mar 31 16:20:26 CEST 2023
;; MSG SIZE  rcvd: 77


Just after fresh restart, it is NOERROR. As it is later. Indeed, the 
query unbound sends to cnametest.bleve.fi is A? query. But the response 
delivered to dig is a correct one. Tested with unbound-1.17.1-2.fc38.x86_64.

Frame 641: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on 
interface virbr0, id 0
Ethernet II, Src: 7e:85:92:43:88:71 (7e:85:92:43:88:71), Dst: 
RealtekU_02:bd:85 (52:54:00:02:bd:85)
Internet Protocol Version 4, Src: 192.168.122.184, Dst: 87.239.120.11
User Datagram Protocol, Src Port: 46986, Dst Port: 53
Domain Name System (query)
     Transaction ID: 0x4302
     Flags: 0x0010 Standard query
     Questions: 1
     Answer RRs: 0
     Authority RRs: 0
     Additional RRs: 1
     Queries
         cnametest.bleve.fi: type A, class IN
     Additional records
     [Response In: 719]

It responds to it with nameservers of bleve.fi. But to those servers it 
already sends CNAME query, not A? Attaching my pcap.

When I did dig @localhost ns bleve.fi. before cnametest, it returned 
SERVFAIL the first time. Only then it responded with NOERROR. So no, I 
do not know how to get NXDOMAIN response from unbound. I get similar 
results for the original query.

>> $ kdig cnametest.bleve.fi. CNAME | head -2
>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718
>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:
>> 0
>>
>> dnsmasq does not handle CNAMEs at all. It requires upstream recursive
>> server to do the job and just passes the result to a client. bind can
>> to proper iteration job from root hints however.
>>
>> If it is a bug, I would suggest creating issue at
>> https://github.com/NLnetLabs/unbound/
>>
>> But maybe more precise steps should be described when it returns
>> NXDOMAIN. Just flushing the cache and doing your query does not seem
>> to be enough for me.

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cnametest-bleve.fi-filtered.pcapng
Type: application/x-pcapng
Size: 6764 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230331/9844401b/attachment-0001.bin>

More information about the Unbound-users mailing list