Maintained by: NLnet Labs

[Unbound-users] Private-address SERVFAIL

W.C.A. Wijngaards
Mon Mar 25 09:09:59 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ehren,

On 03/22/2013 05:10 PM, Ehren Hawks wrote:
> Wouter,
> 
> Thank you for taking the time to review my issue. One more
> question, is this a patchable fix and or something that will be
> available in future releases of Unbound?

This is available in future release of Unbound.

You can get a patch, with
svn diff http://unbound.net/svn/trunk/iterator -r2867:2868 > file
and cd src/iterator ; patch -p0 < file.

Best regards,
   Wouter

> -----Original Message----- From: unbound-users-bounces at unbound.net 
> [mailto:unbound-users-bounces at unbound.net] On Behalf Of 
> unbound-users-request at unbound.net Sent: Friday, March 22, 2013 5:52
> AM To: unbound-users at unbound.net Subject: Unbound-users Digest, Vol
> 64, Issue 15
> 

> Message: 1 Date: Thu, 21 Mar 2013 16:01:36 -0400 From: "Ehren
> Hawks" <ehawks at goeaston.net> To: <unbound-users at unbound.net> 
> Subject: [Unbound-users] Private-address SERVFAIL Message-ID:
> <008b01ce266e$e4ea6e30$aebf4a90$@goeaston.net> Content-Type:
> text/plain; charset="us-ascii"
> 
> Today I had to disable private address stripping of 10.0.0.0/8
> because it was leading to SERVFAILS when looking up
> echannel.stateauto.com
> 
> 
> 
> I'm running Unbound 1.4.16 on Centos 6.2
> 
> 
> 
> Name        : unbound
> 
> Arch        : x86_64
> 
> Version     : 1.4.16
> 
> Release     : 1.el6
> 
> 
> 
> The following dig shows the presence of private addresses in the
> additional section. I thought by default Unbound would strip these
> addresses when using the respective private addresss: option in the
> config, but it appears to be leading to lookup failures. I haven't
> a clue what else I should look at, if I should modify my config or
> what. Thanks for guidance.
> 
> 
> 
> 
> 
> [CDNS1]# dig @174.47.194.100 echannel.stateauto.com
> 
> 
> 
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @174.47.194.100 
> echannel.stateauto.com
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50513
> 
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 5
> 
> ;; WARNING: recursion requested but not available
> 
> 
> 
> ;; QUESTION SECTION:
> 
> ;echannel.stateauto.com.                IN      A
> 
> 
> 
> ;; AUTHORITY SECTION:
> 
> echannel.stateauto.com. 3600    IN      NS
> dc1gss.stateauto.com.
> 
> echannel.stateauto.com. 3600    IN      NS
> colgss.stateauto.com.
> 
> echannel.stateauto.com. 3600    IN      NS
> irogss.stateauto.com.
> 
> 
> 
> ;; ADDITIONAL SECTION:
> 
> dc1gss.stateauto.com.   3600    IN      A       10.30.252.102
> 
> dc1gss.stateauto.com.   3600    IN      A       174.47.194.102
> 
> colgss.stateauto.com.   3600    IN      A       66.192.197.102
> 
> colgss.stateauto.com.   3600    IN      A       10.25.252.102
> 
> irogss.stateauto.com.   3600    IN      A       63.86.19.102
> 
> 
> 
> ;; Query time: 26 msec
> 
> ;; SERVER: 174.47.194.100#53(174.47.194.100)
> 
> ;; WHEN: Thu Mar 21 15:44:22 2013
> 
> ;; MSG SIZE  rcvd: 205
> 
> -------------- next part -------------- An HTML attachment was
> scrubbed... URL: 
> <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130321/9
>
> 
02d31f9/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2 Date: Thu, 21 Mar 2013 13:19:43 -0700 From: Bry8 Star
> <bry8star at yahoo.com> To: unbound-users at unbound.net Subject: Re:
> [Unbound-users] Reply Email Going To User Instead of Mailing-List,
> Pls Fix Message-ID: <514B6B5F.4090500 at yahoo.com> Content-Type:
> text/plain; charset="iso-8859-1"
> 
> Hi Paul, Miek Gieben, I sent similar emails to others (not only to
> you), to show/demonstrate, when someone subscribing to a
> mailing-list, then he/she expect emails coming via/from the
> mailing-list, not from a person directly.
> 
> It is not right to send email directly to a user or few users
> only. Initial posting and other posting are intended to be shared
> with ALL subscribers.
> 
> i also have close to 200 or over mailing-list subscription, let me
> REPEAT, NONE are like this nlnetlab mailing-list.
> 
> every other mailing-list ... when "Reply" button is pressed on any
> posting, then Thunderbird opens new email and places the
> mailing-list email address in the "To:" field, (except nlnetlabs.nl
> list).
> 
> That is what i'm expecting.
> 
> I DO NOT WANT ANY PERSON/USER TO SEND ME EMAIL DIRECTLY. I
> SUBSCRIBED to MAILING-LIST EMAIL-ADDRESS ONLY, NOT to a person's
> email.
> 
> That's what i wanted all to understand.
> 
> If you cannot do that, then you should also place a notice in
> subscription page that other users will start to email you
> directly, when you subscribe.
> 
> AND WHEN YOU REPLY ... MAKE SURE YOU HAVE PLACED ONLY ONE EMAIL
> ADDRESS unbound-users at unbound.net IN THE "To:" FIELD, NO NEED TO
> FILL "Cc:" or "Bcc:", REMOVE "Cc:" & "Bcc:". THANK YOU.
> 
> -- Bright Star.
> 
> 
> 
> Received from Paul Wouters, on 2013-03-21 12:31 PM:
>> On Thu, 21 Mar 2013, Bry8 Star wrote:
>> 
>> Please get a life. You'ev now been kill filed in my procmailrc,
>> so if you ever want to ask unbound questions again, I guess I
>> won't hear them.
>> 
>> Paul
>> 
>>> Hi Paul Wouters, i'm including your sent email's HEADERS,
>>> except the "X-YMailISG:" header.
>>> 
>>> Why are you sending email to me ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
>>> ! ! ! ! ! ! ! ! ! ! ! ! ! !
>>> 
>>> PLEASE DO NOT SEND EMAIL TO ME.
>>> 
>>> SEND IT TO MAILING-LIST ONLY.
>>> 
>>> I HAVE APPROVED/ALLOWED ONLY MAILING-LIST TO SEND ME EMAIL.
>>> 
>>> NOT ANYBODY ELSE. -- Bright Star.
>>> 
>>> X-Apparently-To: bry8star at yahoo.com via 98.139.211.135; Thu, 21
>>> Mar 2013 18:35:08 +0000 Return-Path: <paul at nohats.ca> 
>>> Received-SPF: none (domain of nohats.ca does not designate
>>> permitted sender hosts) X-YMailISG: ... X-Originating-IP:
>>> [193.110.157.68] Authentication-Results:
>>> mta1164.mail.ne1.yahoo.com  from=nohats.ca; domainkeys=neutral
>>> (no sig);  from=nohats.ca; dkim=neutral (no sig) Received: from
>>> 127.0.0.1  (EHLO mx.nohats.ca) (193.110.157.68)  by 
>>> mta1164.mail.ne1.yahoo.com with SMTP; Thu, 21 Mar 2013
>>> 18:35:04 +0000 Received: from localhost (localhost [IPv6:::1]) 
>>> by mx.nohats.ca (Postfix) with ESMTP id 3ZWxW9087Tz9YX; Thu, 21
>>> Mar 2013 14:35:01 -0400 (EDT) X-Virus-Scanned: amavisd-new at
>>> mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by
>>> localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) 
>>> with ESMTP id oDE92QPQbn1B; Thu, 21 Mar 2013 14:34:59 -0400
>>> (EDT) Received: from bofh.nohats.ca (bofh.nohats.ca
>>> [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Thu, 21
>>> Mar 2013 14:34:59 -0400 (EDT) Received: by bofh.nohats.ca
>>> (Postfix, from userid 500) id 2467C80BC4; Thu, 21 Mar 2013
>>> 14:35:00 -0400 (EDT) Received: from localhost (localhost
>>> [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id
>>> 17A3780862; Thu, 21 Mar 2013 14:35:00 -0400 (EDT) Date: Thu, 21
>>> Mar 2013 14:35:00 -0400 (EDT) From: Paul Wouters
>>> <paul at nohats.ca> To: Joe Abley <jabley at hopcount.ca> cc:
>>> bry8star at yahoo.com Subject: Re: [Unbound-users] Reply Email
>>> Going To User Instead of Mailing-List, Pls Fix In-Reply-To:
>>> <F0D2D69E-4967-4D1F-8411-04E9F73ED65A at hopcount.ca> Message-ID:
>>> <alpine.LFD.2.10.1303211434170.20195 at bofh.nohats.ca> 
>>> References: <514B44DD.5040405 at yahoo.com> 
>>> <254B9131-5067-49FF-B90A-9A3D006E8CC0 at hopcount.ca> 
>>> <CAGwP77P8BEC0Ov+m8vgdzeT+xG957z5yc9KWzcbU01zPzGRdQw at mail.gmail.com>
>>>
>>> 
<514B4D0D.9040804 at yahoo.com>
>>> <F0D2D69E-4967-4D1F-8411-04E9F73ED65A at hopcount.ca> User-Agent:
>>> Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 
>>> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed 
>>> Content-Length: 227
>>> 
>>> 
>>> 
>>> 
>>> Received from Paul Wouters, on 2013-03-21 11:35 AM:
>>>> On Thu, 21 Mar 2013, Joe Abley wrote:
>>>> 
>>>>> Subject: Re: [Unbound-users] Reply Email Going To User
>>>>> Instead of Mailing-List, Pls Fix
>>>> 
>>>> Baby... bath water....
>>>> 
>>>> Take it off list? I've gone through enough of these
>>>> "discussions".
>>>> 
>>>> Paul
>>> 
>>> 
> 
> -------------- next part -------------- A non-text attachment was
> scrubbed... Name: signature.asc Type: application/pgp-signature 
> Size: 260 bytes Desc: OpenPGP digital signature URL: 
> <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130321/3
>
> 
3d752b5/attachment-0001.sig>
> 
> ------------------------------
> 
> Message: 3 Date: Thu, 21 Mar 2013 21:40:32 +0100 From: Miek Gieben
> <miek at miek.nl> To: unbound-users at unbound.net Subject: Re:
> [Unbound-users] Reply Email Going To User Instead of Mailing-List,
> Pls Fix Message-ID: <20130321204032.GB19273 at miek.nl> Content-Type:
> text/plain; charset="us-ascii"
> 
> [ Quoting <bry8star at yahoo.com> in "Re: [Unbound-users] Reply Email
> Goi..." ]
>> Hi Paul, Miek Gieben, I sent similar emails to others (not only
>> to you), to show/demonstrate, when someone subscribing to a
>> mailing-list, then he/she expect emails coming via/from the
>> mailing-list, not from a person directly.
> 
> As Paul said: kill-file
> 
> Good bye, thanks -------------- next part -------------- A non-text
> attachment was scrubbed... Name: signature.asc Type:
> application/pgp-signature Size: 198 bytes Desc: Digital signature 
> URL: 
> <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130321/a
>
> 
3581fd4/attachment-0001.sig>
> 
> ------------------------------
> 
> Message: 4 Date: Thu, 21 Mar 2013 21:58:26 +0100 From: Jaap
> Akkerhuis <jaap at NLnetLabs.nl> To: bry8star at yahoo.com Cc:
> unbound-users at unbound.net Subject: Re: [Unbound-users] Reply Email
> Going To User Instead of Mailing-List, Pls Fix Message-ID:
> <201303212058.r2LKwQ5P070462 at bela.nlnetlabs.nl>
> 
> 
> Please, stop sending off-topic messages to this list.
> 
> If you really don't like the way the mailing list is run, you can
> always unsubscribe.
> 
> jaap
> 
> 
> ------------------------------
> 
> Message: 5 Date: Thu, 21 Mar 2013 20:18:36 -0700 From: David
> Benfell <benfell at parts-unknown.org> To: unbound-users at unbound.net 
> Subject: Re: [Unbound-users] Reply Email Going To User Instead of 
> Mailing-List, Pls Fix Message-ID:
> <514BCD8C.3020703 at parts-unknown.org> Content-Type: text/plain;
> charset=ISO-8859-1
> 
> On 03/21/2013 01:19 PM, Bry8 Star wrote:
>> Hi Paul, Miek Gieben, I sent similar emails to others (not only
>> to you), to show/demonstrate, when someone subscribing to a
>> mailing-list, then he/she expect emails coming via/from the
>> mailing-list, not from a person directly.
> 
> You are seeking to enforce what is, for all practical purposes, a
> Reply-To policy. In open source software lists, there are many who
> consider Reply-To evil.
> 
> I happen not to agree with that evaluation, but from what I've
> seen, it has majority acquiescence, if not support.
> 
> My advice has to be, give it up. You are not going to win this
> battle.
> 
> What you will do instead is end up being banned. Which means you
> lose.
> 
> End of story.
> 
> 
> ------------------------------
> 
> Message: 6 Date: Fri, 22 Mar 2013 10:52:05 +0100 From: "W.C.A.
> Wijngaards" <wouter at nlnetlabs.nl> To: unbound-users at unbound.net 
> Subject: Re: [Unbound-users] Private-address SERVFAIL Message-ID:
> <514C29C5.3060400 at nlnetlabs.nl> Content-Type: text/plain;
> charset=ISO-8859-1
> 
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
> Hi Ehren,
> 
> On 03/21/2013 09:01 PM, Ehren Hawks wrote:
>> Today I had to disable private address stripping of 10.0.0.0/8
>> because it was leading to SERVFAILS when looking up
>> echannel.stateauto.com
> 
> Thank you for the bug report, this is a bug in the private address
> code where it removes the entire RRset.  It is fixed to remove the
> RR (and the RRset if it becomes empty (and thus also removes its
> RRSIGs (if any)).
> 
> That fixes the lookup for this domain name.  It leaves the
> publicly accessible addresses intact, and the domain then
> resolves.
> 
>> 
>> I?m running Unbound 1.4.16 on Centos 6.2
>> 
>> 
>> 
>> Name        : unbound
>> 
>> Arch        : x86_64
>> 
>> Version     : 1.4.16
>> 
>> Release     : 1.el6
>> 
>> 
>> 
>> The following dig shows the presence of private addresses in the
>>  additional section. I thought by default Unbound would strip
>> these addresses when using the respective private addresss:
>> option in the config, but it appears to be leading to lookup
>> failures. I haven?t a clue what else I should look at, if I
>> should modify my config or what. Thanks for guidance.
> 
> Another interesting thing is that this domain seems to discard
> incoming queries with the ADflag.  Which is turned on by default in
> dig 9.9.  dig +noad works fine.
> 
> Best regards, Wouter
> 
> 
>> 
>> [CDNS1]# dig @174.47.194.100 echannel.stateauto.com
>> 
>> 
>> 
>> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>>
>> @174.47.194.100 echannel.stateauto.com
>> 
>> ; (1 server found)
>> 
>> ;; global options: +cmd
>> 
>> ;; Got answer:
>> 
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50513
>> 
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL:
>> 5
>> 
>> ;; WARNING: recursion requested but not available
>> 
>> 
>> 
>> ;; QUESTION SECTION:
>> 
>> ;echannel.stateauto.com.                IN      A
>> 
>> 
>> 
>> ;; AUTHORITY SECTION:
>> 
>> echannel.stateauto.com. 3600    IN      NS dc1gss.stateauto.com.
>> 
>> echannel.stateauto.com. 3600    IN      NS colgss.stateauto.com.
>> 
>> echannel.stateauto.com. 3600    IN      NS irogss.stateauto.com.
>> 
>> 
>> 
>> ;; ADDITIONAL SECTION:
>> 
>> dc1gss.stateauto.com.   3600    IN      A       10.30.252.102
>> 
>> dc1gss.stateauto.com.   3600    IN      A       174.47.194.102
>> 
>> colgss.stateauto.com.   3600    IN      A       66.192.197.102
>> 
>> colgss.stateauto.com.   3600    IN      A       10.25.252.102
>> 
>> irogss.stateauto.com.   3600    IN      A       63.86.19.102
>> 
>> 
>> 
>> ;; Query time: 26 msec
>> 
>> ;; SERVER: 174.47.194.100#53(174.47.194.100)
>> 
>> ;; WHEN: Thu Mar 21 15:44:22 2013
>> 
>> ;; MSG SIZE  rcvd: 205
>> 
>> 
>> 
>> _______________________________________________ Unbound-users
>> mailing list Unbound-users at unbound.net 
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>> 
> 
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) 
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJRTCnFAAoJEJ9vHC1+BF+NRU0P/2k8UchYFkFoME5o4k7V871+ 
> 9cWvIYNo9wV9HND/WqVnIYr1R5oBvJkmV1wsIcjRt3ZQhg0Hrwjoxd+zNWfr00M5 
> dnx+52p+tEc8lpEw7feEF134aKXej3VcXXHnsiHVB1IggkVOM4/cmQkLshBcUEHt 
> BtaqYQxO3StYdRHQRHoKNaxSXVRO2VCzyO090iK4zeh2jhNs3xpforSNqiR+jJt0 
> T52n0F4QsoPQqvopLzRW+D5nBPIF+TrokYhJuAnIUW5nYRUlIvs8JwxJO9Vs7z1n 
> zuo0+eEPSL5qo43Y9TB1nap62oDfr44SyiniovfIIvW923Nsj4gsAYgMr7KuwvMU 
> zUviFqVKF9b6Vgs2xzPLHX8/nNT8SafgC5Xlsd0C2RpVgTdhlDMQ0V6EPa1R1x3g 
> PtLZzIt8HK86NSZDcjVv/qPeDX7qEmGrBUVvUGJ63vO++1+E2X+eS8xraNwTjix0 
> wFOsYgCtmU/DZ7jNs5gfLmnN8stH7qzebk12LSRMZ5U45cADq80suy8OdKyqSYaK 
> X7dQM1/plweTvDBxO38bwysqwRdM3Aj3uLNNK6a71KyyrZm+7XhZSBG7lQeBUy8H 
> MrpnWQJC3k7Xkb0UD/w83O0CK65fWX4SYyfC431ZB1+IwUuis4af9d2lfJfdB2Ef 
> yna3+WLTtPmvmHHMKS1G =dFX5 -----END PGP SIGNATURE-----
> 
> 
> ------------------------------
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
> End of Unbound-users Digest, Vol 64, Issue 15 
> *********************************************
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRUAZXAAoJEJ9vHC1+BF+NrDkQAJNNdugq1q8bz+TYODX1GNii
9Pvtz5JoQZdDiULR1zRBQvu6ZIZtPatalUJCdnGrU6RCmxRb4T7b4VTjoXCeGRbE
KZ/XcW98vESx1wWkgBfofjckiXDmCGaSMp//v4JyFhbowEnkYnGmTU8aCit7Nnd+
DGCUMxdQn0cJGbIVs/jkcCh0hMIzphYtzkFv2v6o60ViMjIq8RZqXV7/+lXk0bMY
Ng2GhxF5N+MXIpYy4AsjKJu6euUiFr8fAsFoG/p2fdpqiH5RZo6XgFdqDsgL85jW
jpYRrO5eoznIFtf0en/NHd81VHGi2PmsykP++25rxJ9kFu4PuKW3zSFL7amNyl2i
zeUEr6BTjaE60zBynJOZver55LI7ErjmSvVOhTu4PvlN2LBvcDVYZfqjDf5ByKba
zMX0pgYjv66YOso6J531Jt+SAhdTeTje/E3q7s33PP8nlwla/g0KxrRFV/uKThRi
jN6w5vZS6kkhgqWdApFZXKaZrtervGzEZZDeaqChBZk762GklZAqg4yF0GGJU2N2
AeQbpdrBj3RudTkrYiAZOdidUjjx4MODZbM02H8Nd0PW+a4uSNDAZgn4AytIxcbB
LjH4kaDWvTvbuvS6Aa1xArkvKpCiUJavDVTPtz2PGSe2b/eyHMirjoadJYRBust5
tAv4lvDJzemjBNG21I/A
=IF9r
-----END PGP SIGNATURE-----