Maintained by: NLnet Labs

[Unbound-users] Private-address SERVFAIL

W.C.A. Wijngaards
Fri Mar 22 10:52:05 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ehren,

On 03/21/2013 09:01 PM, Ehren Hawks wrote:
> Today I had to disable private address stripping of 10.0.0.0/8
> because it was leading to SERVFAILS when looking up
> echannel.stateauto.com

Thank you for the bug report, this is a bug in the private address
code where it removes the entire RRset.  It is fixed to remove the RR
(and the RRset if it becomes empty (and thus also removes its RRSIGs
(if any)).

That fixes the lookup for this domain name.  It leaves the publicly
accessible addresses intact, and the domain then resolves.

> 
> I?m running Unbound 1.4.16 on Centos 6.2
> 
> 
> 
> Name        : unbound
> 
> Arch        : x86_64
> 
> Version     : 1.4.16
> 
> Release     : 1.el6
> 
> 
> 
> The following dig shows the presence of private addresses in the 
> additional section. I thought by default Unbound would strip these 
> addresses when using the respective private addresss: option in
> the config, but it appears to be leading to lookup failures. I
> haven?t a clue what else I should look at, if I should modify my
> config or what. Thanks for guidance.

Another interesting thing is that this domain seems to discard
incoming queries with the ADflag.  Which is turned on by default in
dig 9.9.  dig +noad works fine.

Best regards,
   Wouter


> 
> [CDNS1]# dig @174.47.194.100 echannel.stateauto.com
> 
> 
> 
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @174.47.194.100 
> echannel.stateauto.com
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50513
> 
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 5
> 
> ;; WARNING: recursion requested but not available
> 
> 
> 
> ;; QUESTION SECTION:
> 
> ;echannel.stateauto.com.                IN      A
> 
> 
> 
> ;; AUTHORITY SECTION:
> 
> echannel.stateauto.com. 3600    IN      NS
> dc1gss.stateauto.com.
> 
> echannel.stateauto.com. 3600    IN      NS
> colgss.stateauto.com.
> 
> echannel.stateauto.com. 3600    IN      NS
> irogss.stateauto.com.
> 
> 
> 
> ;; ADDITIONAL SECTION:
> 
> dc1gss.stateauto.com.   3600    IN      A       10.30.252.102
> 
> dc1gss.stateauto.com.   3600    IN      A       174.47.194.102
> 
> colgss.stateauto.com.   3600    IN      A       66.192.197.102
> 
> colgss.stateauto.com.   3600    IN      A       10.25.252.102
> 
> irogss.stateauto.com.   3600    IN      A       63.86.19.102
> 
> 
> 
> ;; Query time: 26 msec
> 
> ;; SERVER: 174.47.194.100#53(174.47.194.100)
> 
> ;; WHEN: Thu Mar 21 15:44:22 2013
> 
> ;; MSG SIZE  rcvd: 205
> 
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRTCnFAAoJEJ9vHC1+BF+NRU0P/2k8UchYFkFoME5o4k7V871+
9cWvIYNo9wV9HND/WqVnIYr1R5oBvJkmV1wsIcjRt3ZQhg0Hrwjoxd+zNWfr00M5
dnx+52p+tEc8lpEw7feEF134aKXej3VcXXHnsiHVB1IggkVOM4/cmQkLshBcUEHt
BtaqYQxO3StYdRHQRHoKNaxSXVRO2VCzyO090iK4zeh2jhNs3xpforSNqiR+jJt0
T52n0F4QsoPQqvopLzRW+D5nBPIF+TrokYhJuAnIUW5nYRUlIvs8JwxJO9Vs7z1n
zuo0+eEPSL5qo43Y9TB1nap62oDfr44SyiniovfIIvW923Nsj4gsAYgMr7KuwvMU
zUviFqVKF9b6Vgs2xzPLHX8/nNT8SafgC5Xlsd0C2RpVgTdhlDMQ0V6EPa1R1x3g
PtLZzIt8HK86NSZDcjVv/qPeDX7qEmGrBUVvUGJ63vO++1+E2X+eS8xraNwTjix0
wFOsYgCtmU/DZ7jNs5gfLmnN8stH7qzebk12LSRMZ5U45cADq80suy8OdKyqSYaK
X7dQM1/plweTvDBxO38bwysqwRdM3Aj3uLNNK6a71KyyrZm+7XhZSBG7lQeBUy8H
MrpnWQJC3k7Xkb0UD/w83O0CK65fWX4SYyfC431ZB1+IwUuis4af9d2lfJfdB2Ef
yna3+WLTtPmvmHHMKS1G
=dFX5
-----END PGP SIGNATURE-----