[dns-operations] DNSSEC and ANY query

Tue Oct 4 21:36:30 UTC 2011

On Tue, 4 Oct 2011, Mark Pettit wrote:

> I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them.  I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.

> As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those.  There's more stuff in the Authority and Additional section, but that's not relevant to my question.
>
> Here's what I see from Phreebird 1.02:
>
> ========================================================================
> $ dig +dnssec dnssec-test.yehoo.org. any
>
> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;dnssec-test.yehoo.org.		IN	ANY
>
> ;; ANSWER SECTION:
> dnssec-test.yehoo.org.	7200	IN	RRSIG	A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
> dnssec-test.yehoo.org.	7200	IN	AAAA	2001:4998:0:4::1005
> dnssec-test.yehoo.org.	7200	IN	A	66.163.165.151
>
> ;; AUTHORITY SECTION:
> yehoo.org.		172800	IN	NS	nsdos3.dns.ukl.yahoo.com.
> yehoo.org.		172800	IN	NS	nsdos2.dns.ukl.yahoo.com.
> yehoo.org.		172800	IN	RRSIG	NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>
> ;; ADDITIONAL SECTION:
> nsdos2.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.29
> nsdos3.dns.ukl.yahoo.com. 1800	IN	A	217.12.8.30
>
> ;; Query time: 267 msec
> ;; SERVER: 74.220.195.27#53(74.220.195.27)
> ;; WHEN: Tue Oct  4 13:40:31 2011
> ;; MSG SIZE  rcvd: 523
>
> ========================================================================
>
> Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.
>
> Which behavior is correct, or are they both correct?

Phreebird MUST send back the RRSIG over the AAAA record. It's a bug. CC:ed Dan
on this message.

If you query phreebird directly for the AAAA, it indeed works.

Note however, that for the any query, unbound does the same thing:

[paul at bofh paul]$ dig +dnssec any dnssec-test.yehoo.org. @193.110.157.136

;; ANSWER SECTION:
dnssec-test.yehoo.org.	7104	IN	A	66.163.165.151
dnssec-test.yehoo.org.	7104	IN	RRSIG	A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
dnssec-test.yehoo.org.	7104	IN	AAAA	2001:4998:0:4::1005

;; AUTHORITY SECTION:
yehoo.org.		170504	IN	NS	nsdos2.dns.ukl.yahoo.com.
yehoo.org.		170504	IN	NS	nsdos3.dns.ukl.yahoo.com.
yehoo.org.		170504	IN	RRSIG	NS 7 2 172800 20111031203327 20111003203327 47384 yehoo.org. cnK+Ph2ERrqYUfcv4BRBvLz5luYXNpD1IYotXmnKJLDWYioDDCtW9KYu AWvmB+1ixsFPMC4wUxS3g39yxHAu9aLkuAHvzQli/VaYW140Cbm+13mL fcqNqWWkaMroCQf913vgtV9E6U09t8LLA27HHq0yXZTcrMk6t1omN0jL ySI=

Possible because it got the wrong reply on the any query itself.

While I *think* that might be a bug as well, there might be some RFC material
on why this could be fine. But the authoritative server should never do this.

It might be because it is serving both yehoo.org. and dnssec-test.yehoo.org on
the same server, and it is answering as the "parent"? I cannot tell because
halfway through my queries, you seem to have taken the domain offline.

Paul