Open Habbie opened 7 years ago
And here is 4.1.3 apparently chasing on a CNAME query:
dig cname b8uc4axsv0.1800.nl @nsauth1.bit.nl +dnssec
; <<>> DiG 9.12.2-P1 <<>> cname b8uc4axsv0.1800.nl @nsauth1.bit.nl +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9497
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;b8uc4axsv0.1800.nl. IN CNAME
;; ANSWER SECTION:
b8uc4axsv0.1800.nl. 86400 IN CNAME www.mv.nl.
b8uc4axsv0.1800.nl. 86400 IN RRSIG CNAME 8 2 86400 20181018000000 20180927000000 34443 1800.nl. LCoe3RjhpEPDYXQPg3cCaDZwjhNVLRpGJIMUY9ueAXwukIw3YxwSSxAd wAJiVWAiJXW+fOdGWN4BFqENq6VqVEebflQJHKOPcUbOuBHRLLHA4Lrq 2ExYl0Gu/GrQfy5XvjAM+DB4JzZtDbFn3fVjnYuLIYsUFU/J3uGslIoi Lbs=
;; AUTHORITY SECTION:
mv.nl. 86400 IN SOA nsauth1.bit.nl. hostmaster.mediavillage.nl. 2017091100 28800 7200 604800 86400
mv.nl. 86400 IN RRSIG SOA 8 2 86400 20181018000000 20180927000000 30604 mv.nl. 1s6TT/SF73B0REidKb2XriqR6lL4kpb+i7tGeFTsmP7W/tXZdT3veIrT 7OQshTRYA2cUXs1RM3sxoN+Wibv/xhRnH+Q6j6yR6mRZZK1izj4cQ+/6 RHZPM6DWi4caytcEn4nDuJSBEL1DPQQczJ2rN9Nyus+Tyed/3A4Us7OI gx0=
*.1800.nl. 86400 IN NSEC mx.1800.nl. CNAME RRSIG NSEC
*.1800.nl. 86400 IN RRSIG NSEC 8 2 86400 20181018000000 20180927000000 34443 1800.nl. eTj6MfB7QO6vAFc0K2mt967a+6X/Oune6tHEldEABIVKLfgdODJwtKHn m6DIjF5dpW49/DEpBML4UjD+CbkKn6Xygq1eERWO7gECwQ2hzJ/z/XBz g3VQG82heG1SaMgZ9m68JyAcPh+BgcWVl/wBESXxWOk/8PqrRGrYTsPk INg=
verkoop.mv.nl. 86400 IN NSEC mv.nl. CNAME RRSIG NSEC
verkoop.mv.nl. 86400 IN RRSIG NSEC 8 3 86400 20181018000000 20180927000000 30604 mv.nl. 0uh6KHkWDHmYedqp/d5AAPe9vluFjvHyA5ahnJKZwzZJ/bBt+xQzKGev vq3l6u7olwQxu69PbYs0nfUHyqpxKO2gSfT3GIH3orHgNSfhnBgVjrBy Gt1B0yjYv4AzSTOW0TOsYOHFB06M6NnafOvPkxQmISCAq0+jfrgknmy2 LUw=
*.mv.nl. 86400 IN NSEC _domainkey.mv.nl. A RRSIG NSEC
*.mv.nl. 86400 IN RRSIG NSEC 8 2 86400 20181018000000 20180927000000 30604 mv.nl. ARVVX8Uv+sx8nl49dQTU5hcqSTGtu8C6fznGiWTbPlQlakl+NKbDbzqi En4ZeYgSup8VbT4N+7eeeSOtgPDC1Ijzk29by1BLZqCQbPTCzLzmvjLC lElZ6/Uu+tI2xyX3nR7zU+IChWmq2nKrKD0vq7YJjVOjR2mO2n5Qthv9 sc0=
;; Query time: 52 msec
;; SERVER: 213.136.12.51#53(213.136.12.51)
;; WHEN: Tue Oct 09 17:24:40 CEST 2018
;; MSG SIZE rcvd: 1078
Different, related, weird (rec 4.1.7) note the double NSEC:
dig 'blabla.50.nl' +dnssec
; <<>> DiG 9.12.2-P1 <<>> blabla.50.nl +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59679
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;blabla.50.nl. IN A
;; ANSWER SECTION:
blabla.50.nl. 86345 IN CNAME www.mv.nl.
www.mv.nl. 495 IN A 213.136.12.232
blabla.50.nl. 86345 IN RRSIG CNAME 8 2 86400 20181122000000 20181101000000 40626 50.nl. uiM7lHcP4o+t1DHX2enBN9XLVXYHvr4+GgM7PhDoT02mHNqxMUt4D5RM 8cri7hp7gIpEPdr3ai8BGqi3rfdliIa97kCs4kq+KEzBxBsuSDpLvfv7 L5Bwdt7qEP6yNjd3SOvZY5paFq2iXR/Pxrkvz0o/HR5BZj29cKP2C32F 1dg=
www.mv.nl. 495 IN RRSIG A 8 2 600 20181122000000 20181101000000 30604 mv.nl. ExOS+jobr1pFKwLIQ++v3utl+Fuo3RTdekvPxEnpKSptfF6x5fbL2GE8 OR+3EHEC+SNndiDVMhu7qg/sNwlARL/3V6igoTugokVfkB9xbGVlGvVN KvOUhoujbc2m6ptrxqSGQWQmGl1nlSUI/MH8RFtyJihl2udxUgXiNKT1 u5c=
;; AUTHORITY SECTION:
*.50.nl. 86345 IN NSEC mx.50.nl. CNAME RRSIG NSEC
verkoop.mv.nl. 86345 IN NSEC mv.nl. CNAME RRSIG NSEC
verkoop.mv.nl. 495 IN NSEC mv.nl. CNAME RRSIG NSEC
*.50.nl. 86345 IN RRSIG NSEC 8 2 86400 20181122000000 20181101000000 40626 50.nl. AlCnQVOE/7xxIopIo/7jgONmE0JoGFpkDqm0Zxj+MZxJa4NlvLL3SxoC qTk06gFQV2ThFCl6yi9foLU+zO0q3QAO63gBRRJ3JjPve8S4CtaafRUz CP1OFFx2qsmVXJwYi64itpTHPcxi+g/kFGffv0NZO0TVOm2QjzcG541i owI=
verkoop.mv.nl. 86345 IN RRSIG NSEC 8 3 86400 20181122000000 20181101000000 30604 mv.nl. DUhsUX2oHlqJVNNo6HddWGZbtVT/yyvfqMU1FM7l1YYe6JJQYYfnrc3i Wo012v6a+f/EfvZOhsRb5m1tyD1PNTjSmHul+HGF1GrEQyvaHTTMOm5T gCuapKaeIAhzrseh9eXf5aGuHawuvLT4DZcW++U2WF97Mx8d60eR7dQ1 XdU=
verkoop.mv.nl. 495 IN RRSIG NSEC 8 3 86400 20181122000000 20181101000000 30604 mv.nl. DUhsUX2oHlqJVNNo6HddWGZbtVT/yyvfqMU1FM7l1YYe6JJQYYfnrc3i Wo012v6a+f/EfvZOhsRb5m1tyD1PNTjSmHul+HGF1GrEQyvaHTTMOm5T gCuapKaeIAhzrseh9eXf5aGuHawuvLT4DZcW++U2WF97Mx8d60eR7dQ1 XdU=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 09 21:22:07 CET 2018
;; MSG SIZE rcvd: 997
Reference in https://www.rfc-editor.org/rfc/rfc1034#section-3.6.2
Both of these RRs would be returned in the response to the type A query, while a type CNAME or * query should return just the CNAME.
Short description
When queried for a name that holds a CNAME record, that CNAME should only be chased if the query type is something other than CNAME or ANY. However, both our auth and rec do chase the CNAME when the query type is ANY. This is wrong.
Environment
Steps to reproduce
Expected behaviour
Actual behaviour
The lack of RRSIGs is interesting as well, unsure if that is a bug too.
Other information
I cannot find any other name server (BIND, NSD, Unbound, 8.8.8.8) that chases CNAMEs for ANY queries.