auth&rec follow CNAME chains on ANY queries

[Habbie]

• Program: Authoritative, Recursor
• Issue type: Bug report?

Short description

When queried for a name that holds a CNAME record, that CNAME should only be chased if the query type is something other than CNAME or ANY. However, both our auth and rec do chase the CNAME when the query type is ANY. This is wrong.

Environment

• Operating system: various
• Software version: various (did not check anything older than 4.0)
• Software source: various

Steps to reproduce

1. dig any doc.powerdns.com @pdns-public-ns2.powerdns.com

Expected behaviour

;; ANSWER SECTION:
doc.powerdns.com.   741 IN  CNAME   web1.powerdns.com.
doc.powerdns.com.   741 IN  RRSIG   CNAME 8 3 3600 20171019000000 20170928000000 36021 powerdns.com. kzSUWs6Sx1svoBRVRHJUfzNVNK3WbdGt2kRw25EziK9EhpGlELBJNaxJ owLWeosY1suHG4zkw7/i9ixKMMYAEbhx3xKZdUP+DY1wDoz13p5mgNaK NmsFY4hXl/tVT5fQ7PQg9oE7pX1wIZfj8wOInzYFdCfe7os3jifpi7/1 M6I=

Actual behaviour

;; ANSWER SECTION:
doc.powerdns.com.   3600    IN  CNAME   web1.powerdns.com.
web1.powerdns.com.  3600    IN  AAAA    2a03:b0c0:2:d0::4ab:8001
web1.powerdns.com.  3600    IN  A   188.166.104.92

The lack of RRSIGs is interesting as well, unsure if that is a bug too.

Other information

I cannot find any other name server (BIND, NSD, Unbound, 8.8.8.8) that chases CNAMEs for ANY queries.

[Habbie]

And here is 4.1.3 apparently chasing on a CNAME query:

 dig cname   b8uc4axsv0.1800.nl @nsauth1.bit.nl +dnssec

; <<>> DiG 9.12.2-P1 <<>> cname b8uc4axsv0.1800.nl @nsauth1.bit.nl +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9497
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;b8uc4axsv0.1800.nl.        IN  CNAME

;; ANSWER SECTION:
b8uc4axsv0.1800.nl. 86400   IN  CNAME   www.mv.nl.
b8uc4axsv0.1800.nl. 86400   IN  RRSIG   CNAME 8 2 86400 20181018000000 20180927000000 34443 1800.nl. LCoe3RjhpEPDYXQPg3cCaDZwjhNVLRpGJIMUY9ueAXwukIw3YxwSSxAd wAJiVWAiJXW+fOdGWN4BFqENq6VqVEebflQJHKOPcUbOuBHRLLHA4Lrq 2ExYl0Gu/GrQfy5XvjAM+DB4JzZtDbFn3fVjnYuLIYsUFU/J3uGslIoi Lbs=

;; AUTHORITY SECTION:
mv.nl.          86400   IN  SOA nsauth1.bit.nl. hostmaster.mediavillage.nl. 2017091100 28800 7200 604800 86400
mv.nl.          86400   IN  RRSIG   SOA 8 2 86400 20181018000000 20180927000000 30604 mv.nl. 1s6TT/SF73B0REidKb2XriqR6lL4kpb+i7tGeFTsmP7W/tXZdT3veIrT 7OQshTRYA2cUXs1RM3sxoN+Wibv/xhRnH+Q6j6yR6mRZZK1izj4cQ+/6 RHZPM6DWi4caytcEn4nDuJSBEL1DPQQczJ2rN9Nyus+Tyed/3A4Us7OI gx0=
*.1800.nl.      86400   IN  NSEC    mx.1800.nl. CNAME RRSIG NSEC
*.1800.nl.      86400   IN  RRSIG   NSEC 8 2 86400 20181018000000 20180927000000 34443 1800.nl. eTj6MfB7QO6vAFc0K2mt967a+6X/Oune6tHEldEABIVKLfgdODJwtKHn m6DIjF5dpW49/DEpBML4UjD+CbkKn6Xygq1eERWO7gECwQ2hzJ/z/XBz g3VQG82heG1SaMgZ9m68JyAcPh+BgcWVl/wBESXxWOk/8PqrRGrYTsPk INg=
verkoop.mv.nl.      86400   IN  NSEC    mv.nl. CNAME RRSIG NSEC
verkoop.mv.nl.      86400   IN  RRSIG   NSEC 8 3 86400 20181018000000 20180927000000 30604 mv.nl. 0uh6KHkWDHmYedqp/d5AAPe9vluFjvHyA5ahnJKZwzZJ/bBt+xQzKGev vq3l6u7olwQxu69PbYs0nfUHyqpxKO2gSfT3GIH3orHgNSfhnBgVjrBy Gt1B0yjYv4AzSTOW0TOsYOHFB06M6NnafOvPkxQmISCAq0+jfrgknmy2 LUw=
*.mv.nl.        86400   IN  NSEC    _domainkey.mv.nl. A RRSIG NSEC
*.mv.nl.        86400   IN  RRSIG   NSEC 8 2 86400 20181018000000 20180927000000 30604 mv.nl. ARVVX8Uv+sx8nl49dQTU5hcqSTGtu8C6fznGiWTbPlQlakl+NKbDbzqi En4ZeYgSup8VbT4N+7eeeSOtgPDC1Ijzk29by1BLZqCQbPTCzLzmvjLC lElZ6/Uu+tI2xyX3nR7zU+IChWmq2nKrKD0vq7YJjVOjR2mO2n5Qthv9 sc0=

;; Query time: 52 msec
;; SERVER: 213.136.12.51#53(213.136.12.51)
;; WHEN: Tue Oct 09 17:24:40 CEST 2018
;; MSG SIZE  rcvd: 1078

[Habbie]

Different, related, weird (rec 4.1.7) note the double NSEC:

dig 'blabla.50.nl' +dnssec

; <<>> DiG 9.12.2-P1 <<>> blabla.50.nl +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59679
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;blabla.50.nl.          IN  A

;; ANSWER SECTION:
blabla.50.nl.       86345   IN  CNAME   www.mv.nl.
www.mv.nl.      495 IN  A   213.136.12.232
blabla.50.nl.       86345   IN  RRSIG   CNAME 8 2 86400 20181122000000 20181101000000 40626 50.nl. uiM7lHcP4o+t1DHX2enBN9XLVXYHvr4+GgM7PhDoT02mHNqxMUt4D5RM 8cri7hp7gIpEPdr3ai8BGqi3rfdliIa97kCs4kq+KEzBxBsuSDpLvfv7 L5Bwdt7qEP6yNjd3SOvZY5paFq2iXR/Pxrkvz0o/HR5BZj29cKP2C32F 1dg=
www.mv.nl.      495 IN  RRSIG   A 8 2 600 20181122000000 20181101000000 30604 mv.nl. ExOS+jobr1pFKwLIQ++v3utl+Fuo3RTdekvPxEnpKSptfF6x5fbL2GE8 OR+3EHEC+SNndiDVMhu7qg/sNwlARL/3V6igoTugokVfkB9xbGVlGvVN KvOUhoujbc2m6ptrxqSGQWQmGl1nlSUI/MH8RFtyJihl2udxUgXiNKT1 u5c=

;; AUTHORITY SECTION:
*.50.nl.        86345   IN  NSEC    mx.50.nl. CNAME RRSIG NSEC
verkoop.mv.nl.      86345   IN  NSEC    mv.nl. CNAME RRSIG NSEC
verkoop.mv.nl.      495 IN  NSEC    mv.nl. CNAME RRSIG NSEC
*.50.nl.        86345   IN  RRSIG   NSEC 8 2 86400 20181122000000 20181101000000 40626 50.nl. AlCnQVOE/7xxIopIo/7jgONmE0JoGFpkDqm0Zxj+MZxJa4NlvLL3SxoC qTk06gFQV2ThFCl6yi9foLU+zO0q3QAO63gBRRJ3JjPve8S4CtaafRUz CP1OFFx2qsmVXJwYi64itpTHPcxi+g/kFGffv0NZO0TVOm2QjzcG541i owI=
verkoop.mv.nl.      86345   IN  RRSIG   NSEC 8 3 86400 20181122000000 20181101000000 30604 mv.nl. DUhsUX2oHlqJVNNo6HddWGZbtVT/yyvfqMU1FM7l1YYe6JJQYYfnrc3i Wo012v6a+f/EfvZOhsRb5m1tyD1PNTjSmHul+HGF1GrEQyvaHTTMOm5T gCuapKaeIAhzrseh9eXf5aGuHawuvLT4DZcW++U2WF97Mx8d60eR7dQ1 XdU=
verkoop.mv.nl.      495 IN  RRSIG   NSEC 8 3 86400 20181122000000 20181101000000 30604 mv.nl. DUhsUX2oHlqJVNNo6HddWGZbtVT/yyvfqMU1FM7l1YYe6JJQYYfnrc3i Wo012v6a+f/EfvZOhsRb5m1tyD1PNTjSmHul+HGF1GrEQyvaHTTMOm5T gCuapKaeIAhzrseh9eXf5aGuHawuvLT4DZcW++U2WF97Mx8d60eR7dQ1 XdU=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 09 21:22:07 CET 2018
;; MSG SIZE  rcvd: 997

[Habbie]

Reference in https://www.rfc-editor.org/rfc/rfc1034#section-3.6.2

Both of these RRs would be returned in the response to the type A query, while a type CNAME or * query should return just the CNAME.