[dns-operations] unbound-bind chain causing validation failures on synthesized records
Mark Andrews
marka at isc.org
Mon Jul 9 22:40:37 UTC 2012
In message <alpine.LFD.2.02.1206222133580.25295 at bofh.nohats.ca>, Paul Wouters w
rites:
>
> when forwarding unbound to a bind instance with dnssec support enabled,
> but dnssec validation disabled, and when querying for a wildcard instance
> (eg foo.fedorapeople.org), bind's reply to unbound is not satisfactory to
> unbound. It seems unbound is expecting an NSEC/RRSIG over the NS record
> set in the authority section, and marks the result bogus:
>
> It is not entirely clear to me if this is a bind or unbound bug.
BIND bug, the "NOQNAME" NSEC/NSEC3 proof extraction is a side effect
of validation.
That said if you are talking through a recursive server that server
should be validating as there are situations that are not recoverable
without it.
Mark
> This can be simply reproduced by running bind 9.9.1 (or 9.8.x) using:
>
> ip addr add 1.2.3.4 dev lo
>
> named.conf:
>
> options {
> listen-on port 53 { 1.2.3.4; };
> // listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
> recursion yes;
>
> dnssec-enable yes;
> // dnssec-validation yes;
> // dnssec-lookaside auto;
>
> managed-keys-directory "/var/named/dynamic";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> dig +dnssec foo.fedorapeople.org @1.2.3.4
>
> ; <<>> DiG 9.8.2-RedHat-9.8.2-2.fc16 <<>> +dnssec foo.fedorapeople.org
> @1.2.3.4
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27114
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.fedorapeople.org. IN A
>
> ;; ANSWER SECTION:
> foo.fedorapeople.org. 60 IN A 152.19.134.191
> foo.fedorapeople.org. 60 IN RRSIG A 5 2 60 20120802165114
> 20120703165114 378 fedorapeople.org.
> G3S+RaJMGia8V9rLWRKrhpM9oprjvro+TXw0oU+AuDiyt7vTGpbf/nan
> ntGyZ2oiDXC4myyNjxlmaK1gtXyBtINhPzJX/tUgZR0AwE20iRfVxya2
> 10SpvZ+TRz4l3u4KLFxxu3SxC0hLY2NULFqW4WLPTxbQ4JoQnag4qi9F iiQ=
>
> ;; AUTHORITY SECTION:
> fedorapeople.org. 86400 IN NS ns04.fedoraproject.org.
> fedorapeople.org. 86400 IN NS ns02.fedoraproject.org.
> fedorapeople.org. 86400 IN NS ns05.fedoraproject.org.
> fedorapeople.org. 86400 IN NS
> ns-sb01.fedoraproject.org.
>
> ;; ADDITIONAL SECTION:
> ns02.fedoraproject.org. 86400 IN A 152.19.134.139
> ns04.fedoraproject.org. 86400 IN A 209.132.181.17
> ns05.fedoraproject.org. 86400 IN A 85.236.55.10
> ns-sb01.fedoraproject.org. 86400 IN A 69.174.247.243
>
> ;; Query time: 1821 msec
> ;; SERVER: 1.2.3.4#53(1.2.3.4)
> ;; WHEN: Mon Jul 9 15:04:13 2012
> ;; MSG SIZE rcvd: 398
>
> The same query on unbound gives:
>
> [root at bofh drafts]# dig +dnssec foo.fedorapeople.org @127.0.0.1
>
> ; <<>> DiG 9.8.2-RedHat-9.8.2-2.fc16 <<>> +dnssec foo.fedorapeople.org
> @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7115
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.fedorapeople.org. IN A
>
> ;; ANSWER SECTION:
> foo.fedorapeople.org. 60 IN A 152.19.134.191
> foo.fedorapeople.org. 60 IN RRSIG A 5 2 60 20120802165114
> 20120703165114 378 fedorapeople.org.
> G3S+RaJMGia8V9rLWRKrhpM9oprjvro+TXw0oU+AuDiyt7vTGpbf/nan
> ntGyZ2oiDXC4myyNjxlmaK1gtXyBtINhPzJX/tUgZR0AwE20iRfVxya2
> 10SpvZ+TRz4l3u4KLFxxu3SxC0hLY2NULFqW4WLPTxbQ4JoQnag4qi9F iiQ=
>
> ;; AUTHORITY SECTION:
> *.fedorapeople.org. 86400 IN NSEC fedorapeople.org. A AAAA
> RRSIG NSEC
> *.fedorapeople.org. 86400 IN RRSIG NSEC 5 2 86400
> 20120802165114 20120703165114 378 fedorapeople.org.
> L62mmhkOSmGil0ZusbSmpkdbhmxbXw9iJk/krJxV2FSjEy4k0wIh/4ug
> gpya8ZWkXyoRSBkVf8EtF3cta+6tdOyetyAUkQoJGfryu1YtIUrDUbd0
> yq93dMZsRcHBwuwapFQpcRM+Yrye1YDlup/R2Dai9RY3acezvJX1KCxU 0iY=
>
> ;; Query time: 51 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jul 9 15:06:12 2012
> ;; MSG SIZE rcvd: 457
>
> unbound, when configured to use the above bind as forwarder via
> dnssec-trigger gives:
>
> May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo
> .fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: resolving foo.fedorapeople.o
> rg. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: processQueryTargets: foo.fed
> orapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: DelegationPoint<.>: 0 names
> (0 missing), 2 addrs (0 result, 2 avail) cacheNS
> May 24 09:38:06 bradley unbound: [24502:1] info: sending query: foo.fedorapeo
> ple.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: mesh_run: end 1 recursion st
> ates (0 with reply, 1 detached), 0 waiting replies, 22 recursion replies sent
> , 0 replies dropped, 0 states jostled out May 24 09:38:06 bradley unbound: [2
> 4502:1] info: average recursion processing time 3.168268 sec
> May 24 09:38:06 bradley unbound: [24502:1] info: histogram of recursion proce
> ssing times
> May 24 09:38:06 bradley unbound: [24502:1] info: [25%]=0.563931 median[50%]=1
> [75%]=2.33333
> May 24 09:38:06 bradley unbound: [24502:1] info: lower(secs) upper(secs) recu
> rsions
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.002048 0.004096 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.016384 0.032768 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.131072 0.262144 2
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.262144 0.524288 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.524288 1.000000 6
> May 24 09:38:06 bradley unbound: [24502:1] info: 1.000000 2.000000 5
> May 24 09:38:06 bradley unbound: [24502:1] info: 2.000000 4.000000 3
> May 24 09:38:06 bradley unbound: [24502:1] info: 16.000000 32.000000 3
> May 24 09:38:06 bradley unbound: [24502:1] info: 0RDd mod1 foo.fedorapeople.o
> rg. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: iterator operate: query foo.
> fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: scrub for . NS IN May 24 09:
> 38:06 bradley unbound: [24502:1] info: response for foo.fedorapeople.org. A I
> N
> May 24 09:38:06 bradley unbound: [24502:1] info: reply from <.> 203.2.75.132#
> 53
> May 24 09:38:06 bradley unbound: [24502:1] info: incoming scrubbed packet: ;;
> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
> May 24 09:38:06 bradley unbound: [24502:1] info: query response was ANSWER
> May 24 09:38:06 bradley unbound: [24502:1] info: finishing processing for foo
> .fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo
> .fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: signer is fedorapeople.org.
> TYPE0 CLASS0
> May 24 09:38:06 bradley unbound: [24502:1] info: validator: FindKey foo.fedor
> apeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset foo.fedorapeopl
> e.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset fedorapeople.or
> g. NS IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validator: response has fail
> ed AUTHORITY rrset: fedorapeople.org. NS IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validate(positive): sec_stat
> us_bogus
> May 24 09:38:06 bradley unbound: [24502:1] info: resolving foo.fedorapeople.o
> rg. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: processQueryTargets: foo.fed
> orapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: DelegationPoint<.>: 0 names
> (0 missing), 2 addrs (0 result, 2 avail) cacheNS
> May 24 09:38:06 bradley unbound: [24502:1] info: sending query: foo.fedorapeo
> ple.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: mesh_run: end 1 recursion st
> ates (0 with reply, 1 detached), 0 waiting replies, 22 recursion replies sent
> , 0 replies dropped, 0 states jostled out
> May 24 09:38:06 bradley unbound: [24502:1] info: average recursion processing
> time 3.168268 sec
> May 24 09:38:06 bradley unbound: [24502:1] info: histogram of recursion proce
> ssing times
> May 24 09:38:06 bradley unbound: [24502:1] info: [25%]=0.563931 median[50%]=1
> [75%]=2.33333
> May 24 09:38:06 bradley unbound: [24502:1] info: lower(secs) upper(secs) recu
> rsions
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.002048 0.004096 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.016384 0.032768 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.131072 0.262144 2
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.262144 0.524288 1
> May 24 09:38:06 bradley unbound: [24502:1] info: 0.524288 1.000000 6
> May 24 09:38:06 bradley unbound: [24502:1] info: 1.000000 2.000000 5
> May 24 09:38:06 bradley unbound: [24502:1] info: 2.000000 4.000000 3
> May 24 09:38:06 bradley unbound: [24502:1] info: 16.000000 32.000000 3
> May 24 09:38:06 bradley unbound: [24502:1] info: 0RDd mod1 foo.fedorapeople.o
> rg. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: iterator operate: query foo.
> fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: scrub for . NS IN May 24 09:
> 38:06 bradley unbound: [24502:1] info: response for foo.fedorapeople.org. A I
> N
> May 24 09:38:06 bradley unbound: [24502:1] info: reply from <.> 198.142.0.51#
> 53
> May 24 09:38:06 bradley unbound: [24502:1] info: incoming scrubbed packet: ;;
> ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
> May 24 09:38:06 bradley unbound: [24502:1] info: query response was ANSWER
> May 24 09:38:06 bradley unbound: [24502:1] info: finishing processing for foo
> .fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo
> .fedorapeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: chased to
> . TYPE0 CLASS0
> May 24 09:38:06 bradley unbound: [24502:1] info: signer is fedorapeople.org.
> TYPE0 CLASS0
> May 24 09:38:06 bradley unbound: [24502:1] info: validator: FindKey foo.fedor
> apeople.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset foo.fedorapeopl
> e.org. A IN
> May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset fedorapeople.or
> g. NS IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validator: response has fail
> ed AUTHORITY rrset: fedorapeople.org. NS IN
> May 24 09:38:06 bradley unbound: [24502:1] info: validate(positive): sec_stat
> us_bogus
>
> Note that querying for the wildcard directly, eg dig '*.fedorapeople.org' wor
> ks fine.
>
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list