[dns-operations] Dealing with the bizarre - grantee.fema.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jul 8 19:31:26 UTC 2020 

On Wed, Jul 08, 2020 at 03:03:57PM -0400, Viktor Dukhovni wrote:

> > However, grantee.fema.gov is horribly broken:
> >     • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
> >     • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
> >     • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other  AUTHORITY RRs, regardless of the DO bit
> 
> But for me, the DNSKEY and A record queries are working presently:

That is, working with direct queries to the authorities, bypassing my
local unbound resolver, or with unbound-host (below).  The unbound
resolver fails, it is configured with a modest UDP buffer size.

    ...
    [1594236070] libunbound[1398600:0] info: resolving fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: resolving (init part 2):  fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: resolving (init part 3):  fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: processQueryTargets: fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: sending query: fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: sending to target: <fema.gov.> 23.211.61.66#53
    [1594236070] libunbound[1398600:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
    [1594236070] libunbound[1398600:0] info: iterator operate: query fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: response for fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: reply from <fema.gov.> 23.211.61.66#53
    [1594236070] libunbound[1398600:0] info: query response was ANSWER
    [1594236070] libunbound[1398600:0] info: finishing processing for fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
    [1594236070] libunbound[1398600:0] info: validator operate: query fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
    [1594236070] libunbound[1398600:0] info: subnet operate: query fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: validated DNSKEY fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
    [1594236070] libunbound[1398600:0] info: validator operate: query grantee.fema.gov. A IN
    [1594236070] libunbound[1398600:0] info: validated DS grantee.fema.gov. DS IN
    [1594236070] libunbound[1398600:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_pass
    [1594236070] libunbound[1398600:0] info: subnet operate: query grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
    [1594236070] libunbound[1398600:0] info: validator operate: query grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
    [1594236070] libunbound[1398600:0] info: resolving grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: resolving (init part 2):  grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: resolving (init part 3):  grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: processQueryTargets: grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: sending query: grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: sending to target: <grantee.fema.gov.> 216.81.81.101#53
    [1594236070] libunbound[1398600:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
    [1594236070] libunbound[1398600:0] info: iterator operate: query grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: response for grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: reply from <grantee.fema.gov.> 216.81.81.101#53
    [1594236070] libunbound[1398600:0] info: query response was ANSWER
    [1594236070] libunbound[1398600:0] info: finishing processing for grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
    [1594236070] libunbound[1398600:0] info: validator operate: query grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
    [1594236070] libunbound[1398600:0] info: subnet operate: query grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] info: validated DNSKEY grantee.fema.gov. DNSKEY IN
    [1594236070] libunbound[1398600:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
    [1594236070] libunbound[1398600:0] info: validator operate: query grantee.fema.gov. A IN
    [1594236070] libunbound[1398600:0] info: validate(positive): sec_status_secure
    [1594236070] libunbound[1398600:0] info: validation success grantee.fema.gov. A IN
    [1594236070] libunbound[1398600:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
    [1594236070] libunbound[1398600:0] info: subnet operate: query grantee.fema.gov. A IN
    grantee.fema.gov has address 173.255.49.196 (secure)

With even more verbose debugging, unbound-host reports a DNSKEY response
size of 1842 bytes.

Which again goes to show the importance of properly working DNS over TCP.
Without it any choice of UDP buffer size is too large for some domains,
and too big for others.

-- 
    Viktor.

More information about the dns-operations mailing list