[dns-operations] CNAMEs pointing off into the weeds - inconsistent behavior from different recursive codebases
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Oct 9 05:05:40 UTC 2019
On Wed, Oct 09, 2019 at 12:10:43AM -0400, Viktor Dukhovni wrote:
> What version of unbound is this?
I failed to note the bottom of your message. Unbound 1.6 is rather
old now. The current version is at least 1.9.3. Also, a parent
domain of the target:
_acme-challenge.funnel.seastrom.com. IN CNAME _acme-challenge.funnel.seastrom.com.acme.seastrom.com.
reports NXDOMAIN:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25438
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;com.acme.seastrom.com. IN NS
that could well be in your cache.
> This sure feels like a bug, but keep in mind that with
> qname minimization one might discover NSEC or NSEC3
> records that "prove" the non-existence of the qname.
> So it is possible that your zone, (if signed) has dodgy
> NSEC records. Lack of any evidence of recursion tends
> to suggest that's the case, but a bug is also possible.
And given no signs DNSSEC for this domain, the answer is likely
more mundane. You might find that qname minimization is closer
to your expectations in more recent versions of unbound.
With 1.9.3 on my server, and qname minimization enabled temporarily,
I get:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15138
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;_acme-challenge.funnel.seastrom.com. IN CNAME
;; ANSWER SECTION:
_acme-challenge.funnel.seastrom.com. 299 IN CNAME _acme-challenge.funnel.seastrom.com.acme.seastrom.com.
which is also the answer without qname minimization.
--
Viktor.
More information about the dns-operations
mailing list