Maintained by: NLnet Labs

[Unbound-users] Unbound accepts Authority records with a wrong zone cut. Too lax?

Stephane Bortzmeyer
Wed Jul 18 10:19:16 CEST 2012


Today, we experienced the problem described in
<http://fanf.livejournal.com/107721.html>. BIND cannot query CNAME
ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service:

# BIND
% dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com.          IN      CNAME

;; Query time: 656 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
;; WHEN: Wed Jul 18 09:21:27 2012
;; MSG SIZE  rcvd: 49

# Unbound
% dig @2001:4f8:3:2bc:1::64:21 CNAME ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43630
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com.          IN      CNAME

;; Query time: 492 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21)
;; WHEN: Wed Jul 18 09:21:31 2012
;; MSG SIZE  rcvd: 49

I suspect that Unbound may be too lax since the answer is indeed
incorrect. ns1.webhosting24.com is delegated but the name servers
reply with an Authority which indicates a zone cut at
webhosting24.com. It seems BIND is right to reject it and Unbound is
wrong?

% dig @217.70.144.111 CNAME ns1.webhosting24.com 

; <<>> DiG 9.7.3 <<>> @217.70.144.111 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17571
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com.          IN      CNAME

;; AUTHORITY SECTION:
webhosting24.com.       86400   IN      SOA     ns1.webhosting24.com. hostmaster.webhosting24.com. 2012071800 86400 3600 604800 86400

;; Query time: 23 msec
;; SERVER: 217.70.144.111#53(217.70.144.111)
;; WHEN: Wed Jul 18 10:18:46 2012
;; MSG SIZE  rcvd: 96