Maintained by: NLnet Labs

[Unbound-users] Unbound returns invalid response? NODATA without SOA

Hauke Lampe
Tue Dec 8 09:15:44 CET 2009


Hello.

I use Unbound as a forwarder for BIND and see frequent errors, where
BIND won't accept some answers from Unbound and I wonder which of the
two is at fault. I think it's a bug in Unbound:

> named[15751]: DNS format error from 85.10.240.249#53 resolving 73.84.in-addr.arpa/DS for client 127.0.0.1#33864: invalid response
> named[15751]: error (FORMERR) resolving '73.84.in-addr.arpa/DS/IN': 85.10.240.249#53
> named[15751]: client 127.0.0.1#33864: query failed (SERVFAIL) for 73.84.in-addr.arpa/IN/DS at query.c:4671

The server runs Unbound 1.4.0 with 0x20, harden-glue and
harden-referral-path enabled.

Client is BIND 9.7.0b3 with "edns-udp-size 512". I know, DNSSEC requires
at least EDNS at 1200. Unfortunately, packet filters at both my mobile
broadband providers still disagree and drop UDP DNS responses larger
than 512 bytes.

Unbound returns a cached answer containing only one NSEC record and no
SOA, but does not set the truncation bit:

> # dig +dnssec +cdflag +bufsize=512 73.84.in-addr.arpa ds @85.10.240.249
> 
> ; <<>> DiG 9.7.0b3 <<>> +dnssec +cdflag +bufsize=512 73.84.in-addr.arpa ds @85.10.240.249
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22003
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;73.84.in-addr.arpa.            IN      DS
> 
> ;; AUTHORITY SECTION:
> 73.84.in-addr.arpa.     7079    IN      NSEC    74.84.in-addr.arpa. NS RRSIG NSEC
> 73.84.in-addr.arpa.     7079    IN      RRSIG   NSEC 5 4 7200 20100106163918 20091207163918 11541 84.in-addr.arpa. HxMJQMC0cn3iigPd3f16I0qP0td/pSU9QCgeiJ0IrIY96isdnfpFiDVy NY+HWaiJPhxfCb+X/kT5GHTrLOlfPGeGmcbxJgoeV3xba3tJo2MSamna wbfvR02rbcVmFrB8OAhW0z+JXFUT9hDFJPVGrbszQBM2TFtNWGz6JtDM Q73GowBcnQ8pkhv344G00SuOCnhTTXxF
> 
> ;; Query time: 50 msec
> ;; SERVER: 85.10.240.249#53(85.10.240.249)
> ;; WHEN: Mon Dec  7 21:30:17 2009
> ;; MSG SIZE  rcvd: 284

My first theory was that Unbound for some reason only caches a small
part of the answer because of the client's restriction to 512 byte
responses.

After a restart, though, Unbound sets TC and returns the parent SOA,
even if queried with EDNS at 512:

> # dig +ignore +dnssec +cdflag +bufsize=512 73.84.in-addr.arpa ds @85.10.240.249
[...]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3226
> ;; flags: qr tc rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> 
[...]
> ;; AUTHORITY SECTION:
> 84.in-addr.arpa.        7200    IN      SOA     ns-pri.ripe.net. dns-help.ripe.net. 2009120781 3600 7200 1209600 7200
> 84.in-addr.arpa.        7200    IN      RRSIG   SOA 5 3 172800 20100106183919 20091207183919 11541 84.in-addr.arpa. ujrFsPTsU4CecJXxrPxtPDyzW/7begzfOwgsfMMaYBXwfNkb0k3avBbe +d8NXQNA2VdnBVO5O8tUxcSe7M/ECtYzNll3Yil+5gaDyRcYi9QfSjLD +DzEPZV5eUJv8CjHKxVhRLCvxO4llXYK5FvThLsS91PGbNC5DcW6QfTF ViRe1+QYaYRP/T9ORi/3cy8uqlak3uAU

Is the SOA record required for NODATA responses?



Hauke.