[dns-operations] DNSSEC and ANY query

Dan Kaminsky dan at doxpara.com
Tue Oct 4 21:40:23 UTC 2011 

This is definitely a bug. I should have RRSIGs for each record type in ANSWER.  I don't think its even a corner case...just proper operations.

Will see why this isn't happening. 

Sent from my iPhone

On Oct 4, 2011, at 2:36 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 4 Oct 2011, Mark Pettit wrote:
> 
>> I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them.  I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.
> 
>> As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those.  There's more stuff in the Authority and Additional section, but that's not relevant to my question.
>> 
>> Here's what I see from Phreebird 1.02:
>> 
>> ========================================================================
>> $ dig +dnssec dnssec-test.yehoo.org. any
>> 
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dnssec-test.yehoo.org.        IN    ANY
>> 
>> ;; ANSWER SECTION:
>> dnssec-test.yehoo.org.    7200    IN    RRSIG    A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
>> dnssec-test.yehoo.org.    7200    IN    AAAA    2001:4998:0:4::1005
>> dnssec-test.yehoo.org.    7200    IN    A    66.163.165.151
>> 
>> ;; AUTHORITY SECTION:
>> yehoo.org.        172800    IN    NS    nsdos3.dns.ukl.yahoo.com.
>> yehoo.org.        172800    IN    NS    nsdos2.dns.ukl.yahoo.com.
>> yehoo.org.        172800    IN    RRSIG    NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>> 
>> ;; ADDITIONAL SECTION:
>> nsdos2.dns.ukl.yahoo.com. 1800    IN    A    217.12.8.29
>> nsdos3.dns.ukl.yahoo.com. 1800    IN    A    217.12.8.30
>> 
>> ;; Query time: 267 msec
>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>> ;; WHEN: Tue Oct  4 13:40:31 2011
>> ;; MSG SIZE  rcvd: 523
>> 
>> ========================================================================
>> 
>> Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.
>> 
>> Which behavior is correct, or are they both correct?
> 
> Phreebird MUST send back the RRSIG over the AAAA record. It's a bug. CC:ed Dan
> on this message.
> 
> If you query phreebird directly for the AAAA, it indeed works.
> 
> Note however, that for the any query, unbound does the same thing:
> 
> [paul at bofh paul]$ dig +dnssec any dnssec-test.yehoo.org. @193.110.157.136
> 
> ;; ANSWER SECTION:
> dnssec-test.yehoo.org.    7104    IN    A    66.163.165.151
> dnssec-test.yehoo.org.    7104    IN    RRSIG    A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
> dnssec-test.yehoo.org.    7104    IN    AAAA    2001:4998:0:4::1005
> 
> ;; AUTHORITY SECTION:
> yehoo.org.        170504    IN    NS    nsdos2.dns.ukl.yahoo.com.
> yehoo.org.        170504    IN    NS    nsdos3.dns.ukl.yahoo.com.
> yehoo.org.        170504    IN    RRSIG    NS 7 2 172800 20111031203327 20111003203327 47384 yehoo.org. cnK+Ph2ERrqYUfcv4BRBvLz5luYXNpD1IYotXmnKJLDWYioDDCtW9KYu AWvmB+1ixsFPMC4wUxS3g39yxHAu9aLkuAHvzQli/VaYW140Cbm+13mL fcqNqWWkaMroCQf913vgtV9E6U09t8LLA27HHq0yXZTcrMk6t1omN0jL ySI=
> 
> Possible because it got the wrong reply on the any query itself.
> 
> While I *think* that might be a bug as well, there might be some RFC material
> on why this could be fine. But the authoritative server should never do this.
> 
> It might be because it is serving both yehoo.org. and dnssec-test.yehoo.org on
> the same server, and it is answering as the "parent"? I cannot tell because
> halfway through my queries, you seem to have taken the domain offline.
> 
> Paul

More information about the dns-operations mailing list