[dns-operations] [DNSOP] bind fails to continue recursing on one specific query

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 28 02:47:30 UTC 2023


[ Redirecting to dns-operations, I don't believe this is an IETF dnsop WG topic ]

On Mon, Mar 27, 2023 at 12:13:58PM -0400, jmurray at pdknox.org wrote:

> www.tn.gov.		CNAME	www.extglb.tn.gov.
> extglb.tn.gov.        NS      sdcgtm02.tn.gov.
> extglb.tn.gov.        NS      ndcgtm01.tn.gov.
> extglb.tn.gov.        NS      ndcgtm02.tn.gov.
> extglb.tn.gov.        NS      sdcgtm01.tn.gov.
> 7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. NSEC3 1 0 100 D317AC7ABABEF654 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS

[Above trace trimmed to the essential records]

    $ ldns-nsec3-hash -t 100 -s D317AC7ABABEF654 extglb.tn.gov.
    7viff5qrm0phtvohkkj31smhh09rae81.

    - Does BIND still support 100 NSEC3 iterations?

The returned NSEC3 record is a proof of insecure delegation of
extglb.tn.gov. Given also:

    ndcgtm01.tn.gov. IN A 170.141.169.33
    ndcgtm02.tn.gov. IN A 170.141.169.34
    sdcgtm01.tn.gov. IN A 170.141.172.33
    sdcgtm02.tn.gov. IN A 170.141.172.34

we can check the server @170.141.167.222 queried in your PCAP and the
above:

	$ while read ip; do
            dig +norecur +dnssec +nocmd +nostats @$ip -t a www.extglb.tn.gov.
	  done <<-EOF
        170.141.167.222
	170.141.169.33
	170.141.169.34
	170.141.172.33
	170.141.172.34
	EOF

That first address returns what would be a lame delegation, if it were
believed to be the right server for the zone.

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57075
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ; COOKIE: f94662e4382b07010100000064222094f3dcfcd52f692d24 (good)
    ;; QUESTION SECTION:
    ;www.extglb.tn.gov.		IN	A

    ;; AUTHORITY SECTION:
    extglb.tn.gov.		300	IN	NS	ndcgtm01.tn.gov.
    extglb.tn.gov.		300	IN	NS	sdcgtm01.tn.gov.
    extglb.tn.gov.		300	IN	NS	ndcgtm02.tn.gov.
    extglb.tn.gov.		300	IN	NS	sdcgtm02.tn.gov.
    7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN	NSEC3 1 0 100 D317AC7ABABEF654 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS
    7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN	RRSIG NSEC3 7 3 600 20230416173711 20230317173148 16643 tn.gov. ZxWY7y+RLEifC89LyPAtq0TQIPFuH0mrSbSCb3K44IJfqIwM8z7BuKb/ aM7gtPmApI2zxw2XpKaN7AK+XtBXdHJ29IRJQgQTnatIc+v8rU/hws/g fW8C5uQkq0XOU/YAzUGjOmtNdnzSEQZVi9CCYSsw7AqhVlUYssvAMbXE M5I=

The queries for "_.extglb.tn.gov. IN A ?" in your PCAP are a novelty to
me.  Are these some form of query minimisation, or some sort of sanity
check of the delegation?  Sadly, the "tn.gov" nameserver just drops
these without responding, so their failure could well contribute to the
problems you observe.

The rest are fine, but your resolver never asks:

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16420
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;www.extglb.tn.gov.		IN	A

    ;; ANSWER SECTION:
    www.extglb.tn.gov.	30	IN	A	170.141.221.177

    --

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49212
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;www.extglb.tn.gov.		IN	A

    ;; ANSWER SECTION:
    www.extglb.tn.gov.	30	IN	A	170.141.165.146

    --

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34806
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;www.extglb.tn.gov.		IN	A

    ;; ANSWER SECTION:
    www.extglb.tn.gov.	30	IN	A	170.141.165.146

    --

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29916
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;www.extglb.tn.gov.		IN	A

    ;; ANSWER SECTION:
    www.extglb.tn.gov.	30	IN	A	170.141.221.177

-- 
    Viktor.



More information about the dns-operations mailing list