Maintained by: NLnet Labs

[Unbound-users] Question about qtype=any

Luo Ce
Thu Jul 14 03:41:58 CEST 2011


Hi Wouter,

I found the difference when I compared the query results between unbound and bind in a non-dnssec environment, and I think it's not bad for unbound to give more information for qtype any.
If this additional information makes the DNSSEC-validation failed, the solution you want to take seems necessary.
And in my opinion, when the query response is fine and could be trusted, the DNSSEC-validation should be passed.

Regards,
Luo Ce 

-----Original Message-----
From: W.C.A. Wijngaards [mailto:wouter at NLnetLabs.nl] 
Sent: Tuesday, July 12, 2011 8:09 PM
To: unbound-users at unbound.net
Cc: 罗策
Subject: Re: [Unbound-users] Question about qtype=any

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Luo Ce,

The solution we would like to implement is that the CNAME is not
followed for qtype ANY.  (and fix DNSSEC-validation of such responses).
 Because it is RFC-conformant and short.

Is this OK, or does this create problems; for aliasing perhaps?  Is
there some specific result you need to get from ANY queries to DNAME and
CNAME aliases?  It would be good to support aliases.  Or is this bug
report not because of aliasing but an error found in the lab?

Best regards,
   Wouter


On 07/11/2011 11:14 AM, W.C.A. Wijngaards wrote:
> Hi,
> 
> Yes, unbound continues processing and follows the CNAME, also for qtype
> ANY.  It fetches the qtype ANY at the CNAME destination for the client.
> 
> Best regards,
>    Wouter
> 
> On 07/11/2011 02:59 AM, Luo Ce wrote:
>> Not only www.google.com, I tried www.sohu.com <http://www.sohu.com> and
>> www.yahoo.com <http://www.yahoo.com>, the results unbound gave me all
>> include the A records.
> 
>> So the problem may not be the authoritative server, it looks like
>> unbound continue to process the cname response and get the final A records.
> 
> 
> 
>> ; <<>> DiG 9.7.3-P1 <<>> @localhost www.sohu.com any
> 
>> ; (1 server found)
> 
>> ;; global options: +cmd
> 
>> ;; Got answer:
> 
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55095
> 
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 3
> 
> 
> 
>> ;; QUESTION SECTION:
> 
>> ;www.sohu.com.                  IN      ANY
> 
> 
> 
>> ;; ANSWER SECTION:
> 
>> www.sohu.com.           600     IN      CNAME   d7.a.sohu.com.
> 
>> d7.a.sohu.com.          300     IN      CNAME   frontend-tc7.a.sohu.com.
> 
>> frontend-tc7.a.sohu.com. 300    IN      A       61.135.181.169
> 
>> frontend-tc7.a.sohu.com. 300    IN      A       61.135.181.171
> 
>> frontend-tc7.a.sohu.com. 300    IN      A       61.135.181.167
> 
> 
> 
>> ;; AUTHORITY SECTION:
> 
>> a.sohu.com.             3600    IN      NS      y.a.sohu.com.
> 
>> a.sohu.com.             3600    IN      NS      x.a.sohu.com.
> 
>> a.sohu.com.             3600    IN      NS      z.a.sohu.com.
> 
> 
> 
>> ;; ADDITIONAL SECTION:
> 
>> x.a.sohu.com.           7200    IN      A       121.14.0.42
> 
>> y.a.sohu.com.           7200    IN      A       220.181.26.169
> 
>> z.a.sohu.com.           7200    IN      A       61.135.179.168
> 
> 
> 
>> ; <<>> DiG 9.7.3-P1 <<>> @localhost www.yahoo.com any
> 
>> ; (1 server found)
> 
>> ;; global options: +cmd
> 
>> ;; Got answer:
> 
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24745
> 
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
> 
> 
> 
>> ;; QUESTION SECTION:
> 
>> ;www.yahoo.com.                 IN      ANY
> 
> 
> 
>> ;; ANSWER SECTION:
> 
>> www.yahoo.com.          300     IN      CNAME   fp.wg1.b.yahoo.com.
> 
>> fp.wg1.b.yahoo.com.     60      IN      CNAME   any-fp.wa1.b.yahoo.com.
> 
>> any-fp.wa1.b.yahoo.com. 60      IN      A       98.137.149.56
> 
>> any-fp.wa1.b.yahoo.com. 60      IN      A       72.30.2.43
> 
> 
> 
>> *From:*Blacka, David [mailto:davidb at verisign.com]
>> *Sent:* Friday, July 08, 2011 8:25 PM
>> *To:* Luo Ce
>> *Cc:* <unbound-users at unbound.net>
>> *Subject:* Re: [Unbound-users] Question about qtype=any
> 
> 
> 
> 
> 
>> On Jul 7, 2011, at 9:30 PM, Luo Ce wrote:
> 
> 
> 
>> Hi all,
> 
> 
> 
>> When I use unbound and send a query with qtype = any
> 
>> dig @localhost www.google.com <http://www.google.com> any
> 
>> unbound returns me the following results:
> 
>> ; (1 server found)
> 
>> ;; global options: +cmd
> 
>> ;; Got answer:
> 
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11161
> 
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
> 
> 
> 
>> ;; QUESTION SECTION:
> 
>> ;www.google.com.                        IN      ANY
> 
> 
> 
>> ;; ANSWER SECTION:
> 
>> www.google.com <http://www.google.com>.         604800  IN     
>> CNAME   www.l.google.com <http://www.l.google.com>.
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.147
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.99
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.106
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.105
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.103
> 
>> www.l.google.com <http://www.l.google.com>.       300     IN     
>> A       74.125.71.104
> 
> 
> 
>> I just want to know whether the A records are needed for the qtype any,
>> cos when I send the same query to bind, it only returns me the cname answer.
> 
> 
> 
>> I believe what is happening here is that unbound is returning what the
>> authoritative server returns for 'www.google.com/ANY', while BIND is
>> reconstructing the answer (that is, looking at its cache and returning
>> all RRsets that match the qname).  
> 
> 
> 
>> So, maybe a better question is: why does google's authoritative
>> nameservers return the A records with qtype=ANY?
> 
> 
> 
>> --
>> David Blacka                          <davidb at verisign.com
>> <mailto:davidb at verisign.com>> 
>> Principal Engineer      Verisign Infrastructure Engineering
> 
> 
> 
> 
> 
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOHDllAAoJEJ9vHC1+BF+NY6kP/jpqmR7qRi0yLYF4eQQV8Dch
2/ELPIQIoKQrlX3OHx83dBteLuE4xDL+ZIl1t7W6JEOlUX5popHuSrNUC9W1FGUq
fRCys0aBMZvRlW7UtuHCN+6cLOCnURRfj9sG/MTcDDWGs5iKWiac1WIUFwukJ0Rf
WKvRg67UHWtT0+l2q5thtCj8ixDCQmUJ9bnwTeu6gXF0yD231UPTRSULaZcWl1W1
z9fIe/1xsNou2L5Kg3zYqbpZ4GGSDO9G6tpmaVlA50dzROGg6dUly54yFygia98O
V+Gg6rJwa58VIys/FFjmXRUuzQ2JLhtTdBccOqdiZnMh5CSJ21lQxfqVXxvCoyNW
F9nFlmzdlP3xz6CdZxsuYVYbP0fJdWm1d2V8DNzV6Z7YDRVsftkccIdzrSJY2Ns6
a8rDE0pU1BPdt9AYm1QdmzzGoV7kuikUWEkHHGHTKMJDimFSpMfGTEjoio716hST
syeUvo8QJzzYbUPxjT3857XDL0xfodDENZiuLMSx/sAKna30JHl02hYagz4bmuSo
514Xpqf/Robfu9d3PdVZ5m38umXmlc26eMp1bdSFo9vw0MCbYEnXdeZy0Q39FQBB
vOmgGeNrFvd9F1A5CS13HNis3y0nxvGE9fyfQDcIEya/90xLQwNwOq4mhixhHwhh
W151xJ73SCB8fRyuRWXf
=pNMf
-----END PGP SIGNATURE-----