Maintained by: NLnet Labs

[Unbound-users] Again: use-caps-for-id trouble

W.C.A. Wijngaards
Fri Oct 10 16:05:32 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

The servers respond with different TTLs which is why unbound
classifies the answers as different, which is why the fallback for
capsforid does not work in this case.

Best regards,
   Wouter

On 10/10/14 15:44, A. Schulze wrote:
> 
> A. Schulze:
> 
>> Last week I had an issue with a domain I could analyse in
>> detail. The external customer run a Debian Squeeze + bind 9.7.3
>> for his domain and rDNS
>> 
>> The rDNS was broken because we sent queries for *.In.ADr.ArpA.
>> 
>> The Debian servers was "protected" by a Cisco firewall. This
>> device had a "content inspection" for DNS enabled which broke
>> his bind9 answers.
>> 
>> Unfortunately the latest 0x20 patches for unbound-1.4.22 did not
>> catch that.
>> 
>> @Wouter, if you'r interested I could setup a test environment...
> 
> today we hit a powerdns server responding in a unexpected manner:
> 
> $ dig @ns1.ipandmore.de MAIL1.IPANDMORE.DE +norecurse +noall
> +answer
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de 
> MAIL1.IPANDMORE.DE +norecurse +noall +answer ; (1 server found) ;;
> global options: +cmd MAIL1.IPANDMORE.DE.     14400   IN      A
> 213.252.2.157
> 
> -> OK
> 
> $ dig @ns1.ipandmore.de 157.2.252.213.in-addr.arpa. PTR +norecurse 
> +noall +answer
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de 
> 157.2.252.213.in-addr.arpa. PTR +norecurse +noall +answer ; (1
> server found) ;; global options: +cmd 157.2.252.213.in-addr.arpa.
> 900 IN      PTR     mail1.ipandmore.de.
> 
> -> OK
> 
> BUT: $ dig @ns1.ipandmore.de 157.2.252.213.IN-ADDR.ARPA. PTR
> +norecurse +noall +answer
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.ipandmore.de 
> 157.2.252.213.IN-ADDR.ARPA. PTR +norecurse +noall +answer ; (1
> server found) ;; global options: +cmd 157.2.252.213.in-addr.arpa.
> 900 IN      PTR     mail1.ipandmore.de.
> 
> -> OK?, notice the lowercase "in-addr.arpa." in the answer.
> 
> We had a similar issue in June: 
> http://unbound.net/pipermail/unbound-users/2014-June/003377.html
> 
> Wouter wrote a patch I'm using here to handle the situation where
> DNS servers don't answer to uppercase queries at all. But that
> mechanism fail here because there is no timeout.
> 
> I run 1.4.22 with the attached patch. Ideas / Updates?
> 
> Andreas
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUN+esAAoJEJ9vHC1+BF+NPfoP/jbtwy/efK0ni6F/QZsmsux+
Iiwn8HujZ99t7AN31XMbeqVmx3teuojlX9W5beKfKP0byaXT+ETozgB1YZ0Cd3rY
rgZmewteguaj2rqibPQisc3xot6e+4XvSsn4tAD686nadCHlQS6LZgqkffn60a9t
m1IJ6VyKWXMhXIo33ctmJmwVDfF1H3zoAJ2aa9RUCHocaqGxX94h35Vto7VadRfF
uzHaO9tpxuAVlpJyv4TSzSp+a90BsxTd+YvYgGlLdhrt4gvDWCvzF+UAsYNhxaHT
aitXjQzRSS+YdrMlrO/WTCD/T383bex5a3jXkb41oI9VoAajAqFnsi7/X8tCgLW5
cua68IJacNQxLabOUHPFAAlk9UxHKTbn7UmmWvjWjhM1VZ6TQoL1DluRDjtYvj0F
chBjJ5N0OodyxOAgmXr/sGjnIsmSr+3ZQQ4435f+0deLgtGV1wzoMnIFswyldRJY
N1b4vUqPt/I1wiQfTSG1Vda1K9rSFnoUjGFivI9a+l5/unO+MjACY3ryl+AsbeQ+
AhTrRZgONHx4BbUISY6NYJl62Yp7m0FEK9Db7yTd31x8JEPP0Xivx0NPPzDVlrZG
IqHfhNSR5xNHN9l2sXL271r3UViun2NqAwQjI8WnES0O6yRimf+rh0qTHeDbGki8
mNNtHGaXL5RXICRWsGk/
=aunW
-----END PGP SIGNATURE-----