[dns-operations] [DNSOP] bind fails to continue recursing on one specific query
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Mar 28 02:47:30 UTC 2023
[ Redirecting to dns-operations, I don't believe this is an IETF dnsop WG topic ]
On Mon, Mar 27, 2023 at 12:13:58PM -0400, jmurray at pdknox.org wrote:
> www.tn.gov. CNAME www.extglb.tn.gov.
> extglb.tn.gov. NS sdcgtm02.tn.gov.
> extglb.tn.gov. NS ndcgtm01.tn.gov.
> extglb.tn.gov. NS ndcgtm02.tn.gov.
> extglb.tn.gov. NS sdcgtm01.tn.gov.
> 7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. NSEC3 1 0 100 D317AC7ABABEF654 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS
[Above trace trimmed to the essential records]
$ ldns-nsec3-hash -t 100 -s D317AC7ABABEF654 extglb.tn.gov.
7viff5qrm0phtvohkkj31smhh09rae81.
- Does BIND still support 100 NSEC3 iterations?
The returned NSEC3 record is a proof of insecure delegation of
extglb.tn.gov. Given also:
ndcgtm01.tn.gov. IN A 170.141.169.33
ndcgtm02.tn.gov. IN A 170.141.169.34
sdcgtm01.tn.gov. IN A 170.141.172.33
sdcgtm02.tn.gov. IN A 170.141.172.34
we can check the server @170.141.167.222 queried in your PCAP and the
above:
$ while read ip; do
dig +norecur +dnssec +nocmd +nostats @$ip -t a www.extglb.tn.gov.
done <<-EOF
170.141.167.222
170.141.169.33
170.141.169.34
170.141.172.33
170.141.172.34
EOF
That first address returns what would be a lame delegation, if it were
believed to be the right server for the zone.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57075
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: f94662e4382b07010100000064222094f3dcfcd52f692d24 (good)
;; QUESTION SECTION:
;www.extglb.tn.gov. IN A
;; AUTHORITY SECTION:
extglb.tn.gov. 300 IN NS ndcgtm01.tn.gov.
extglb.tn.gov. 300 IN NS sdcgtm01.tn.gov.
extglb.tn.gov. 300 IN NS ndcgtm02.tn.gov.
extglb.tn.gov. 300 IN NS sdcgtm02.tn.gov.
7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN NSEC3 1 0 100 D317AC7ABABEF654 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS
7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN RRSIG NSEC3 7 3 600 20230416173711 20230317173148 16643 tn.gov. ZxWY7y+RLEifC89LyPAtq0TQIPFuH0mrSbSCb3K44IJfqIwM8z7BuKb/ aM7gtPmApI2zxw2XpKaN7AK+XtBXdHJ29IRJQgQTnatIc+v8rU/hws/g fW8C5uQkq0XOU/YAzUGjOmtNdnzSEQZVi9CCYSsw7AqhVlUYssvAMbXE M5I=
The queries for "_.extglb.tn.gov. IN A ?" in your PCAP are a novelty to
me. Are these some form of query minimisation, or some sort of sanity
check of the delegation? Sadly, the "tn.gov" nameserver just drops
these without responding, so their failure could well contribute to the
problems you observe.
The rest are fine, but your resolver never asks:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16420
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.extglb.tn.gov. IN A
;; ANSWER SECTION:
www.extglb.tn.gov. 30 IN A 170.141.221.177
--
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49212
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.extglb.tn.gov. IN A
;; ANSWER SECTION:
www.extglb.tn.gov. 30 IN A 170.141.165.146
--
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34806
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.extglb.tn.gov. IN A
;; ANSWER SECTION:
www.extglb.tn.gov. 30 IN A 170.141.165.146
--
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29916
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.extglb.tn.gov. IN A
;; ANSWER SECTION:
www.extglb.tn.gov. 30 IN A 170.141.221.177
--
Viktor.
More information about the dns-operations
mailing list