NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.13k stars 359 forks source link

adding local_zone via unbound-control breakes local-data #868

Open popovr opened 1 year ago

popovr commented 1 year ago

Hello,

adding zones with 'unbound-control local_zone xxx.xxx. deny' randomly breakes local-data records. different zones being added break different records.

for example: adding 'test.com' breakes local-data record for 'weather.com'

unbound verions found to be affected: 1.17.0, 1.17.1 OS independent (tried freebsd 13.1, debian 7.11)

[root@rvp /home/rvp]# unbound-control reload ok [root@rvp /home/rvp]# unbound-control list_local_data | grep weather weather.com. 10900 IN A 127.0.0.1 [root@rvp /home/rvp]# nslookup weather.com. localhost Server: localhost Address: 127.0.0.1#53

Name: weather.com Address: 127.0.0.1

[root@rvp /home/rvp]# unbound-control local_zone test.net. deny ok [root@rvp /home/rvp]# nslookup weather.com. localhost Server: localhost Address: 127.0.0.1#53

Name: weather.com Address: 127.0.0.1

[root@rvp /home/rvp]# unbound-control local_zone test.org. deny ok [root@rvp /home/rvp]# nslookup weather.com. localhost Server: localhost Address: 127.0.0.1#53

Name: weather.com Address: 127.0.0.1

[root@rvp /home/rvp]# unbound-control local_zone test.com. deny ok [root@rvp /home/rvp]# nslookup weather.com. localhost Server: localhost Address: 127.0.0.1#53

Non-authoritative answer: Name: weather.com Address: 184.86.60.172

[root@rvp /home/rvp]# unbound-control list_local_data | grep weather weather.com. 10900 IN A 127.0.0.1 [root@rvp /home/rvp]#

[root@rvp /home/rvp]# unbound-control reload ok [root@rvp /home/rvp]# nslookup weather.com. localhost Server: localhost Address: 127.0.0.1#53

Name: weather.com Address: 127.0.0.1

To reproduce

  1. add local-data: "weather.com. 10900 IN A 127.0.0.1" to unbound.conf, reload, check that server replies with new ip.
  2. add local zone with 'unbound-control local_zone test.com. deny'
  3. check that even though record for weather.com is still in local-data, server replies with its original ip.

Expected behavior using unbound-control local_zone must not break local-data records.

System:

Version 1.17.1

Configure line: --with-libexpat=/usr/local --with-ssl=/usr --enable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd13.1 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1o-freebsd 3 May 2022 Linked modules: dns64 dynlib respip validator iterator DNSCrypt feature available

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information Add any other information that you may have gathered about the issue here.

gthess commented 1 year ago

Cannot reproduce this neither on 1.17.1 nor on current master. More verbose output would help for this case if possible.