Maintained by: NLnet Labs

[Unbound-users] Unbound accepts Authority records with a wrong zone cut. Too lax?

W.C.A. Wijngaards
Wed Jul 18 10:37:59 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 07/18/2012 10:19 AM, Stephane Bortzmeyer wrote:
> Today, we experienced the problem described in 
> <http://fanf.livejournal.com/107721.html>. BIND cannot query CNAME 
> ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service:
> 
> # BIND % dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com
> 
> ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME
> ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
> 35315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com.          IN      CNAME
> 
> ;; Query time: 656 msec ;; SERVER:
> 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20) ;; WHEN: Wed
> Jul 18 09:21:27 2012 ;; MSG SIZE  rcvd: 49
> 
> # Unbound % dig @2001:4f8:3:2bc:1::64:21 CNAME
> ns1.webhosting24.com
> 
> ; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME
> ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
> 43630 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com.          IN      CNAME
> 
> ;; Query time: 492 msec ;; SERVER:
> 2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21) ;; WHEN: Wed
> Jul 18 09:21:31 2012 ;; MSG SIZE  rcvd: 49
> 
> I suspect that Unbound may be too lax since the answer is indeed 
> incorrect. ns1.webhosting24.com is delegated but the name servers 
> reply with an Authority which indicates a zone cut at 
> webhosting24.com. It seems BIND is right to reject it and Unbound
> is wrong?

Unbound rejects the authority records from this message.  Then looks
at the resulting message and thinks that this looks like a
NOERROR/NODATA answer, which it returns to the client.

So, unbound rejects the authority zone cut, but does not turn that
into a servfail because it thinks it can understand the message with
that RR removed.

Best regards,
   Wouter


> % dig @217.70.144.111 CNAME ns1.webhosting24.com
> 
> ; <<>> DiG 9.7.3 <<>> @217.70.144.111 CNAME ns1.webhosting24.com ;
> (1 server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17571 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING:
> recursion requested but not available
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;ns1.webhosting24.com.          IN      CNAME
> 
> ;; AUTHORITY SECTION: webhosting24.com.       86400   IN      SOA
> ns1.webhosting24.com. hostmaster.webhosting24.com. 2012071800 86400
> 3600 604800 86400
> 
> ;; Query time: 23 msec ;; SERVER:
> 217.70.144.111#53(217.70.144.111) ;; WHEN: Wed Jul 18 10:18:46
> 2012 ;; MSG SIZE  rcvd: 96 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBnXnAAoJEJ9vHC1+BF+Nww8P+gPv0waszyatAfZMWvbl0+5+
BaEq15XrDeZjQla3eY29Uh9zTUwPBW3aY99JscMttD9igR79Nl4e6eLB8vLsXnGz
W3pp0T58P6lKhIbg4zFkEoFzBPKx5KhaIeA8pcMuz0E8uD0fAINsyxOE5gFwsfB0
rq2FrrjYPBTyxJJ8VPA/cmX2q7pNqD0fJFit6m9xw6jK4q8+v+MIK6zevtqJVfIl
skP31yNDPOpggkfcuEoF7TC7GJeOLmXR2sM3gIiiogm+APq04wmLp8SqVGM8RYQM
Aycd6M4oXSzTZ6KM24/ogWgzjDm3dQegYfSKbYEw8/8ZwDSvBunD371K4BH4Zvl4
yxvnrONsH99ccAOaM6LNqGAaiPdtJEoV39mC56w98LCrqYoIiVh+d7pVxI1IZPHa
W1OPweKrV655/wbPLp6P728YuoO6JXXPi60Xt3BGvZwDd9ut+2btymhC+dI5S//v
vl/QL15jpnHJOVmI1EcC3Rukonznx5olxeZk7w6HL5lyHqvCGFuZB/0L6qQUFMun
2d7ommP98KtrxzWFsZVPq45festj4E0UEGmz0OMDuub6KylLmrpRn3NnM+FGocw+
P3kAjAgRkl5UPwxXPbX90JOkGH6ADWmk+EmGDYv4KN86o6HGEuSzXUX4A78solKV
B5HlP2ydTXOPQ4osbTif
=lJCG
-----END PGP SIGNATURE-----