[dns-operations] DNSSEC and ANY query
Dan Kaminsky
dan at doxpara.com
Tue Oct 4 21:40:23 UTC 2011
This is definitely a bug. I should have RRSIGs for each record type in ANSWER. I don't think its even a corner case...just proper operations.
Will see why this isn't happening.
Sent from my iPhone
On Oct 4, 2011, at 2:36 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 4 Oct 2011, Mark Pettit wrote:
>
>> I've recently noticed a difference in behavior between how BIND handles ANY queries for records with both A and AAAA records, and how Phreebird handles them. I'm curious if either is wrong, and what the spec says, so I thought I'd ask here.
>
>> As you can see, BIND hands back an NSEC record, an A record, and an AAAA record, and an RRSIG for each of those. There's more stuff in the Authority and Additional section, but that's not relevant to my question.
>>
>> Here's what I see from Phreebird 1.02:
>>
>> ========================================================================
>> $ dig +dnssec dnssec-test.yehoo.org. any
>>
>> ; <<>> DiG 9.6.2-RedHat-9.6.2-0.BH <<>> +dnssec dnssec-test.yehoo.org. any
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31141
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dnssec-test.yehoo.org. IN ANY
>>
>> ;; ANSWER SECTION:
>> dnssec-test.yehoo.org. 7200 IN RRSIG A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
>> dnssec-test.yehoo.org. 7200 IN AAAA 2001:4998:0:4::1005
>> dnssec-test.yehoo.org. 7200 IN A 66.163.165.151
>>
>> ;; AUTHORITY SECTION:
>> yehoo.org. 172800 IN NS nsdos3.dns.ukl.yahoo.com.
>> yehoo.org. 172800 IN NS nsdos2.dns.ukl.yahoo.com.
>> yehoo.org. 172800 IN RRSIG NS 7 2 172800 20111031200014 20111003200014 47384 yehoo.org. gh075sBA+8DozLx4kbxBx4RiSrQcWNR7iwoanSU0IdRPLXuRg9WeQJPC I6Unc2j8ZvoQlSpCe784q8ccaWjwqXR4V75TuTdLqTtu6srIrYpcn0g2 t0VNNuC5GhNin91ll7KkSlLtQAeezEVe8q7GhVNYnhEQWSLkch44dnvv 1uc=
>>
>> ;; ADDITIONAL SECTION:
>> nsdos2.dns.ukl.yahoo.com. 1800 IN A 217.12.8.29
>> nsdos3.dns.ukl.yahoo.com. 1800 IN A 217.12.8.30
>>
>> ;; Query time: 267 msec
>> ;; SERVER: 74.220.195.27#53(74.220.195.27)
>> ;; WHEN: Tue Oct 4 13:40:31 2011
>> ;; MSG SIZE rcvd: 523
>>
>> ========================================================================
>>
>> Phreebird hands back both the A and the AAAA record, but does not sign the AAAA record.
>>
>> Which behavior is correct, or are they both correct?
>
> Phreebird MUST send back the RRSIG over the AAAA record. It's a bug. CC:ed Dan
> on this message.
>
> If you query phreebird directly for the AAAA, it indeed works.
>
> Note however, that for the any query, unbound does the same thing:
>
> [paul at bofh paul]$ dig +dnssec any dnssec-test.yehoo.org. @193.110.157.136
>
> ;; ANSWER SECTION:
> dnssec-test.yehoo.org. 7104 IN A 66.163.165.151
> dnssec-test.yehoo.org. 7104 IN RRSIG A 7 3 7200 20111031232342 20111003232342 47384 yehoo.org. u5tckz/oLlUeuQkQ/s2iAuMGpFD61Zhffxf+BTHZ0gAu7rN6ekx6wDNH qoZtdMvTjIg1hZJA9/FPQtHksONg6vQGTPxXgt3XpKiYsodZzetdARmO 3EdOvzD7k59VkwwocWjtmDAHR2zp9x97KpmglqPXBtsO/PaS23KEqX2w bl0=
> dnssec-test.yehoo.org. 7104 IN AAAA 2001:4998:0:4::1005
>
> ;; AUTHORITY SECTION:
> yehoo.org. 170504 IN NS nsdos2.dns.ukl.yahoo.com.
> yehoo.org. 170504 IN NS nsdos3.dns.ukl.yahoo.com.
> yehoo.org. 170504 IN RRSIG NS 7 2 172800 20111031203327 20111003203327 47384 yehoo.org. cnK+Ph2ERrqYUfcv4BRBvLz5luYXNpD1IYotXmnKJLDWYioDDCtW9KYu AWvmB+1ixsFPMC4wUxS3g39yxHAu9aLkuAHvzQli/VaYW140Cbm+13mL fcqNqWWkaMroCQf913vgtV9E6U09t8LLA27HHq0yXZTcrMk6t1omN0jL ySI=
>
> Possible because it got the wrong reply on the any query itself.
>
> While I *think* that might be a bug as well, there might be some RFC material
> on why this could be fine. But the authoritative server should never do this.
>
> It might be because it is serving both yehoo.org. and dnssec-test.yehoo.org on
> the same server, and it is answering as the "parent"? I cannot tell because
> halfway through my queries, you seem to have taken the domain offline.
>
> Paul
More information about the dns-operations
mailing list