Maintained by: NLnet Labs

extra CNAME resolutions in chain

W.C.A. Wijngaards
Mon May 29 13:51:01 CEST 2017


Hi Philip,

On 29/05/17 07:12, Philip O'Sullivan via Unbound-users wrote:
> Hi,
> 
> I'm seeing unbound making extra resolution requests for CNAME records in
> a chain where the domains differ between the record in the question and
> the CNAMEs in the answer.  For example a query coming into unbound for a
> host like a.b.c.com <http://a.b.c.com> that gets a reponse from the
> server with CNAME a.b.e.com <http://a.b.e.com>, CNAME, a.d.e.com
> <http://a.d.e.com>, A 1.2.3.4.  Instead of returning those immediately
> to the client unbound proceeds to resolve a.b.e.com <http://a.b.e.com>
> and a.c.e.com <http://a.c.e.com>, and then return to the client.  From
> the logs, when verbose logging is turned on we see messages like:
> 
>   info: sanitize: removing extraneous answer RRset: a.b.e.com
> <http://a.b.e.com>. CNAME IN
> 
> Our unbound config is fairly simple with a forward-zone for "." pointing
> to our upstream DNS servers.  We don't have DNSSEC enabled.
> 
> From a quick look at the source I think this is happening in the
> scrubber at
> https://github.com/NLnetLabs/unbound/blob/master/iterator/iter_scrub.c#L663
> 
> I was wondering if there was anyway to stop these extra lookups?

There is no way to turn that feature off.  The lookups are for defense
against (Kaminsky) cache poisoning scenarios.

On unbound.net there is
http://unbound.net/documentation/patch_announce102.html that describes
this.  Also described in (expired draft):
https://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170529/fb02df1f/attachment.sig>