omoerbeek
commented
6 months ago Rec constructs the answer in two steps, first foo.cname-exists.phicoh.nl is resolved, resulting in a CNAME record and an AUTHORITY section containing the future dup NSEC and RRSIG records:
dig @ns5.phicoh.nl foo.cname-exists.phicoh.nl txt +dnssec
; <<>> DiG 9.18.25 <<>> @ns5.phicoh.nl foo.cname-exists.phicoh.nl txt +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9313
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
;foo.cname-exists.phicoh.nl. IN TXT
;; ANSWER SECTION:
foo.cname-exists.phicoh.nl. 3600 IN CNAME does-exist.phicoh.nl.
foo.cname-exists.phicoh.nl. 3600 IN RRSIG CNAME 8 3 3600 20240523132800 20240425132800 63939 phicoh.nl. gGJOiNSXdI2IZzEeyx2JTnT+djjR9i2gIhRYShC3yVp++2va9qYBdivB gXZgEmMnNb1t2yA6b7DmVd9Vyi1XkBYQU6Zhr10ItwNZvNynC/kNmFAY T6GSP4AZZxX4wU1cNgOo5Rzm01Hk6VSG8ipDGNvxRA9HheZO7mZizkoz hphh9xhBCsqHbnj8liwyqwESJGhjJMuCBLDkouN4ak/AkII2xa+ycvno UK4rsdz4zT8jif0mN1kt8nfKu8WuXozcHKoUvWW03ZPvvCbmYaY8k/rq pSVO04nr7EZQG2E9yT72XhFnfLJg2+rYbY9Ryyfe/+aAHRHtfxkvIx8n obxgsA==
;; AUTHORITY SECTION:
*.cname-exists.phicoh.nl. 3600 IN NSEC cname-nxdomain.phicoh.nl. CNAME RRSIG NSEC
*.cname-exists.phicoh.nl. 3600 IN RRSIG NSEC 8 3 3600 20240523132800 20240425132800 63939 phicoh.nl. qn63vY9jK1QAPmMGOk2igSdOWRYwg2oCwH7okDVPPWbKO0SMENdPLoSF slgR0+Ck2e6zV7Nf1ZawSRMFU0u1H2KML56iSELjQOJW34zCiwxcox/A 6BrZ+gld1Ak6PiT/X41yDbMlDwz4usmpRhP3nG6qU01Pjd9vy/38HP3V QEj9EMuFDJPzlavO3dE7uCMSjW/vzXPvqg295yQ1f3fvV6D55PVJWN4Q cDI6hSAyPG/dVq24zqklADrb2lh+JNwHR4WsgBjgI4pFBxV2SQnTcqYz /2lihopU6qD5b99hw51fKuYe/xpKLvFxHwQ9Ccud9TDK64wggJ6cjvef HwmUBg==
does-exist.phicoh.nl. 3600 IN NSEC *.ent.phicoh.nl. A RRSIG NSEC
does-exist.phicoh.nl. 3600 IN RRSIG NSEC 8 3 3600 20240523132801 20240425132801 63939 phicoh.nl. AmkFNWd0GFouYmDjOsYaTpSirHH8n2UNThEb6IZ2m8CKkNEVUApDtP4N Jpb88orjpeDM9THZnD+/zQbx4Qpp4GsMRvUAtTizcZDpOQ1esN5zSTJM fJRDfyFDPFlm+NPyzDaqbBaFSyzTVrKECBVfDW3QVTW7trB03BZSg+Gf kLhti9jA0dPq9nauFzILeCdT0k8vhhrhf4Gc5repYy5otAAPJBnR3cgQ 8zSobeC/kEu8mvvSWjxStDsG5P86hj3mKdj9Yqx5Sj6/Piug4y2D6lva aIg0C+cSstePrwKbpKEgkycWQnIa4MWYAJ1auS7HJ5NJX9hAL/XNm64U ILAGSA==
;; Query time: 24 msec
;; SERVER: 2a10:3781:2413:1:2a0:c9ff:fe9f:17a9#53(ns5.phicoh.nl) (UDP)
;; WHEN: Mon May 06 08:16:36 CEST 2024
;; MSG SIZE rcvd: 1056Then the CNAME target does-exist.phicoh.nl is resolved, resulting in an AUTHORITY section containing the already present records again:
$ dig @ns5.phicoh.nl does-exist.phicoh.nl txt +dnssec
; <<>> DiG 9.18.25 <<>> @ns5.phicoh.nl does-exist.phicoh.nl txt +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3911
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
;does-exist.phicoh.nl. IN TXT
;; AUTHORITY SECTION:
phicoh.nl. 3600 IN SOA stereo.hq.phicoh.net. dnsmaster.hq.phicoh.net. 1714051679 7200 3600 2419200 3600
phicoh.nl. 3600 IN RRSIG SOA 8 2 3600 20240523132759 20240425132759 63939 phicoh.nl. Ve5TIpO5DnxpWpsOOlYPNKSKHu1zAXQOESWKmrfv40qnBw/8FYBZCnPe usLafNFDtDZYy4+g2BMPTq5aHOluF+GtHfR/Tnb+9Y27r7F42LfgWI/S NZ3hZ+445PeDJIhJ55oJ+HjlWoNWIQGYNyLXRmCfteKhYEUwN3xQdz+t 0wgC6gXENpg4Dbk2WzEHNx6RtkwpvUSJd6HyvSsS+1VYoCL2NgteVhp0 paTYSYnn9fwAZDyGUUbMUS7Pbeot393lV+5OFG8OuwnTlO4i12Bx9Rk7 uo55fJiHmtWsgJCuv8lkFTLpoAKH0+9gDFZ7V80nZf2Re9a9/PJVs46d 4JKCyg==
does-exist.phicoh.nl. 3600 IN NSEC *.ent.phicoh.nl. A RRSIG NSEC
does-exist.phicoh.nl. 3600 IN RRSIG NSEC 8 3 3600 20240523132801 20240425132801 63939 phicoh.nl. AmkFNWd0GFouYmDjOsYaTpSirHH8n2UNThEb6IZ2m8CKkNEVUApDtP4N Jpb88orjpeDM9THZnD+/zQbx4Qpp4GsMRvUAtTizcZDpOQ1esN5zSTJM fJRDfyFDPFlm+NPyzDaqbBaFSyzTVrKECBVfDW3QVTW7trB03BZSg+Gf kLhti9jA0dPq9nauFzILeCdT0k8vhhrhf4Gc5repYy5otAAPJBnR3cgQ 8zSobeC/kEu8mvvSWjxStDsG5P86hj3mKdj9Yqx5Sj6/Piug4y2D6lva aIg0C+cSstePrwKbpKEgkycWQnIa4MWYAJ1auS7HJ5NJX9hAL/XNm64U ILAGSA==
;; Query time: 25 msec
;; SERVER: 2a10:3781:2413:1:2a0:c9ff:fe9f:17a9#53(ns5.phicoh.nl) (UDP)
;; WHEN: Mon May 06 08:17:08 CEST 2024
;; MSG SIZE rcvd: 746The auth sections are then merged, but contain duplicates.
rgacogne
[x] I have read and understood the 'out in the open' support policy
Short description
Someone on the DNS-OARC Mattermost found that "
dig +dnssec foo.cname-exists.phicoh.nl txt" on "a popular public resolver" returns two "does-exist.phicoh.nl. 3600 IN NSEC *.ent.phicoh.nl. A RRSIG NSEC" records. I don't know which resolver they meant, but I checked a few of them and PowerDNS Recursor does in fact return the NSEC and its corresponding RRSIG twice.Beats me why, but there are wildcards and ENTs and possibly other horrors involved.
There may have been recent changes in this area, but I don't know if it's a new issue. It affects Quad9, so I doubt it's that new.
Environment
Steps to reproduce
dig +dnssec foo.cname-exists.phicoh.nl txtExpected behaviour
No duplicate records.
Actual behaviour
Extra NSEC and RRSIG records.
Other information