search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.63k stars 904 forks source link

TLSA record lookup problem #4304

Closed kjette closed 8 years ago

kjette commented 8 years ago

Reporter: ietf-dane@dukhovni

Problem:

$ dig +nosplit +norecur -t tlsa _25._tcp.dbdo.se @ns7.binero.se 
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60776 
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 
;_25._tcp.dbdo.se. IN TLSA

Testing this on a different name server that is powered by UltraDNS:

dig +nosplit +norecur -t tlsa _25._tcp.dbdo.se @ns6.binero.se 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6077 
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 
;_25._tcp.dbdo.se. IN TLSA 
_25._tcp.dbdo.se. CNAME doesnotexist.dbdo.se. 
_25._tcp.dbdo.se. RRSIG CNAME 8 2 7200 20160818000000 20160728000000 34296 dbdo.se. UXq/SAuNAj6XRFpbNIq6y2zM/rHfKuP1WYJOhcY07NyhOmAgSBK9Avep0Btlz16t+lFCtzcI2pn3jLSh7FlkJ2VhVI40jqarMeECyZrjHEjUaHN/qfO5rYubrCX93ci9eKL0YqdilNOkecasvB/8j55FzG5Dua6joLVve9vzXuQ= 
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. NSEC3 1 0 1 AB 3F8EGOT7HUPFFDVJ3S9EV18VCK5C9KNJ A NS SOA RRSIG DNSKEY NSEC3PARAM 
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. RRSIG NSEC3 8 3 3600 20160818000000 20160728000000 34296 dbdo.se. wAqUtWgXWuhSUglaahAPRx2ynMRZbmiVG+hmVA5CZ39or0DGGmbgjnUvOzr5zQf4N+vEg+KtklAohLv3Bf5fxq7tDYw7p78m4bsWIDDwjqtpRQU9kmNdxuPmGiGhpkgdIIOoFuJk4hhyEK9ArjxZzpt7ORyhrx23WXNPTsuwjCc=

See also: http://dnsviz.net/d/_25._tcp.dbdo.se/dnssec/

The wildcard CNAME at the zone apex is not pertinent to queries below the empty non-terminal "_tcp.dbdo.se".

Following output from the log:

Aug 9 17:08:05 ns-01-01 pdns[24461]: Abort CNAME chain resolution after 10 redirects, sending out servfail. Initial query: '_25._tcp.dbdo.se'.

This matches my observations, the zone apex has an invalid wildcard CNAME. However, that CNAME is not pertinent to the query at hand, since "_tcp" is a non-empty terminal. So attempts to resolve that CNAME should not happen. Also SERVFAIL is questionable here, even if the CNAME were relevant, the authoritative server should just return the CNAME record in that case.

$ pdnssec --config-dir=/etc/powerdns/ check-zone dbdo.se
Checked 12 records of 'dbdo.se', 0 errors, 0 warnings
$ pdns_server --version
Aug 10 10:18:33 PowerDNS Authoritative Server 4.0.1 (C) 2001-2016 PowerDNS.COM BV
Aug 10 10:18:33 Using 64-bits mode. Built using gcc 4.8.1 on Aug  9 2016 15:03:54 by root@ns-01-01.binero.se.
Aug 10 10:18:33 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Aug 10 10:18:33 Features: openssl lua 
Aug 10 10:18:33 Built-in modules: bind gmysql random
Aug 10 10:18:33 Configured with: " 'CXX=g++-4.8' 'CC=gcc-4.8'"
Habbie commented 8 years ago

Can you show your zone contents please?

Habbie commented 8 years ago

Have received the zone in private. I don't see any _tcp in there, what am I missing? The response from UltraDNS also suggests there is no _tcp empty non-terminal.

kjette commented 8 years ago

Yes, sorry, indeed there is no empty non-terminal, from the secondary UltraDNS servers the unresolvable CNAME is accompanied by a proof of non-existence of _tcp. I've seen too many cases of empty non-terminal issues, and in this case jumped to conclusions too quickly.

I still think that the authoritative server needs to just return the CNAME data it has (without chasing the CNAME) when the target of the CNAME does not exist or loops. This is what the secondaries to, and the primary should act the same.

Hashes:

q6d7nlmm7hj224qvb6lpmg6cpln6dso0. doesnotexist.dbdo.se 
ioibg7vnme250daecms1319sphul4jmu. *.dbdo.se 
vg23qt8s9k87afurdic9pfp2cudf886m. dbdo.se

Answers:

@ns6.binero.se.[156.154.67.59] 
; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a doesnotexist.dbdo.se @156.154.67.59 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25267 
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 
;doesnotexist.dbdo.se. IN A 
doesnotexist.dbdo.se. CNAME doesnotexist.dbdo.se. 
doesnotexist.dbdo.se. RRSIG CNAME 8 2 7200 20160825000000 20160804000000 34296 dbdo.se. 
ioibg7vnme250daecms1319sphul4jmu.dbdo.se. NSEC3 1 0 1 AB VG23QT8S9K87AFURDIC9PFP2CUDF886M CNAME RRSIG 
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. NSEC3 1 0 1 AB 3F8EGOT7HUPFFDVJ3S9EV18VCK5C9KNJ A NS SOA RRSIG DNSKEY NSEC3PARAM 
ioibg7vnme250daecms1319sphul4jmu.dbdo.se. RRSIG NSEC3 8 3 3600 20160825000000 20160804000000 34296 dbdo.se. 
vg23qt8s9k87afurdic9pfp2cudf886m.dbdo.se. RRSIG NSEC3 8 3 3600 20160825000000 20160804000000 34296 dbdo.se.
@ns7.binero.se.[195.74.39.30] 
; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a doesnotexist.dbdo.se @195.74.39.30 
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6939 
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 
;doesnotexist.dbdo.se. IN A
Habbie commented 8 years ago

Can you open a fresh bug about the CNAME chasing, without all the baggage this issue has accumulated? I'll close this one.