search

buffrr / hsd-axfr

HSD plugin that implements DNS zone transfer protocol (AXFR)
10 stars 2 forks source link

One last error I can't get rid of :) #4

Open james-stevens opened 2 years ago

james-stevens commented 2 years ago

In bind I've disabled IXFR, DNS Cookies & EDNS, but I'm still left with one error in hsd when bind pulls an AXFR

I have no idea in the cycle when it occurs. bind will usually poll the SOA Serial over UDP before deciding to do an AXFR.

Nov 27 14:00:43 hasroot user.notice hsd: [error] (ns) EFORMERR: unexpected authority.
Nov 27 14:00:43 hasroot user.notice hsd:     at RootServer.answer (/usr/local/hsd/node_modules/bns/lib/server/dns.js:242:13)
Nov 27 14:00:43 hasroot user.notice hsd:     at RootServer.handle (/usr/local/hsd/node_modules/bns/lib/server/dns.js:316:24)
Nov 27 14:00:43 hasroot user.notice hsd:     at Server.<anonymous> (/usr/local/hsd/node_modules/bns/lib/server/dns.js:72:20)
Nov 27 14:00:43 hasroot user.notice hsd:     at Server.emit (events.js:400:28)
Nov 27 14:00:43 hasroot user.notice hsd:     at TCPSocket.fire (/usr/local/hsd/node_modules/bns/lib/internal/net.js:350:17)
Nov 27 14:00:43 hasroot user.notice hsd:     at Parser.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:365:12)
Nov 27 14:00:43 hasroot user.notice hsd:     at Parser.emit (events.js:400:28)
Nov 27 14:00:43 hasroot user.notice hsd:     at Parser.feed (/usr/local/hsd/node_modules/bns/lib/internal/net.js:574:12)
Nov 27 14:00:43 hasroot user.notice hsd:     at Socket.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:396:19)
Nov 27 14:00:43 hasroot user.notice hsd:     at Socket.emit (events.js:400:28)
Nov 27 14:03:27 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Nov 27 14:03:51 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Nov 27 14:05:40 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Nov 27 14:06:13 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)

Here's the relevant options I added - might be useful to anybody else if they're interested in this kind of thing :)

options {
...
        check-names master ignore;
        check-names slave ignore;
        check-names response ignore;
        check-sibling no;
        check-integrity no;

        request-ixfr no;
        send-cookie no;
        answer-cookie no;
        require-server-cookie no;
...
        };

server 127.0.0.9 { edns no; };

There's absolutely no need for the AXFR from hsd to support any of these, so I'm more than happy to disable then all, but (as you know) I do think the hsd resolver really should support DNS Cookies.

BTW: 127.0.0.9 is my hsd instance.

exec /usr/local/hsd/bin/hsd \
        --plugins=/usr/local/hsd/axfr \
        --axfr-icann-servers='127.1.0.1' \
        --axfr-prefer-icann \
        --prefix=/ext/hsd-data/ \
        --ns-host 127.0.0.9 \
        --ns-port 53 \
        --no-sig0 \
        --log-level=${log} 2>&1 | logger -t hsd
buffrr commented 2 years ago 
 [error] (ns) EFORMERR: unexpected authority.

hm weird that you're still seeing this error even disabling IXFR. It's unfortunate but this error is thrown even before the plugin could see and handle it. We have to change this in bns lib. The error is of a type DNSError which returns a FORMERR response here. So as long as bind is fine with it it should be harmless.

Is bind still doing AXFR without issues despite this error?

james-stevens commented 2 years ago

Is bind still doing AXFR without issues despite this error?

Yes - everything is working fine - even the edns no & request-ixfr no were really only to get rid of errors - it was working fine without.

I don't like errors cos they have a terrible habit of being really important at 3am on a Sunday after you just went to a friend's wedding & had a few beers.

buffrr commented 2 years ago

I don't like errors cos they have a terrible habit of being really important at 3am on a Sunday after you just went to a friend's wedding & had a few beers

I hear ya bns needs to be updated anyway i'll try to submit a PR soon to clean up a few things in bns and fix this issue as well

james-stevens commented 2 years ago

Sure no worries - it's just me being paranoid

that said, last night I had four alerts in the night - nothing serious, but it does kinda duck up your whole day

james-stevens commented 2 years ago

Getting some additional weird error messages now & I think it might be broken now as I'm no longer getting the name collision for messages.

Unfortunately, because the signing bind maintains the SOA Serial in its own special way, I don't really have anyway to tell what the SOA Serial was on the data it imported from hsd. This is becuase bind needs to roll the SOA Serial when it refreshes RRSIG records on RR Sets that haven't changed in a while.

BTW: named-handshake-bridge is the instance of bind that gets the zone from hsd & signs it, 127.0.0.9 is hsd

Dec 23 14:41:01 hasroot local0.err named-handshake-bridge[996]: transfer of './IN (unsigned)' from 127.0.0.9#53: failed while receiving responses: extra input data
Dec 23 14:41:01 hasroot user.notice hsd: [error] (axfr) [127.0.0.1:33255] Transfer cancelled
Dec 23 14:41:01 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 14:52:44 hasroot user.notice hsd: [error] (ns) EFORMERR: unexpected authority.
Dec 23 14:52:44 hasroot user.notice hsd:     at RootServer.answer (/usr/local/hsd/node_modules/bns/lib/server/dns.js:242:13)
Dec 23 14:52:44 hasroot user.notice hsd:     at RootServer.handle (/usr/local/hsd/node_modules/bns/lib/server/dns.js:316:24)
Dec 23 14:52:44 hasroot user.notice hsd:     at Server.<anonymous> (/usr/local/hsd/node_modules/bns/lib/server/dns.js:72:20)
Dec 23 14:52:44 hasroot user.notice hsd:     at Server.emit (events.js:400:28)
Dec 23 14:52:44 hasroot user.notice hsd:     at TCPSocket.fire (/usr/local/hsd/node_modules/bns/lib/internal/net.js:350:17)
Dec 23 14:52:44 hasroot user.notice hsd:     at Parser.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:365:12)
Dec 23 14:52:44 hasroot user.notice hsd:     at Parser.emit (events.js:400:28)
Dec 23 14:52:44 hasroot user.notice hsd:     at Parser.feed (/usr/local/hsd/node_modules/bns/lib/internal/net.js:574:12)
Dec 23 14:52:44 hasroot user.notice hsd:     at Socket.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:396:19)
Dec 23 14:52:44 hasroot user.notice hsd:     at Socket.emit (events.js:400:28)
Dec 23 14:55:06 hasroot local0.err named-handshake-bridge[996]: transfer of './IN (unsigned)' from 127.0.0.9#53: failed while receiving responses: extra input data
Dec 23 14:55:06 hasroot user.notice hsd: [error] (axfr) [127.0.0.1:33163] Transfer cancelled
Dec 23 14:55:06 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 15:07:09 hasroot user.notice hsd: [error] (ns) EFORMERR: unexpected authority.
Dec 23 15:07:09 hasroot user.notice hsd:     at RootServer.answer (/usr/local/hsd/node_modules/bns/lib/server/dns.js:242:13)
Dec 23 15:07:09 hasroot user.notice hsd:     at RootServer.handle (/usr/local/hsd/node_modules/bns/lib/server/dns.js:316:24)
Dec 23 15:07:09 hasroot user.notice hsd:     at Server.<anonymous> (/usr/local/hsd/node_modules/bns/lib/server/dns.js:72:20)
Dec 23 15:07:09 hasroot user.notice hsd:     at Server.emit (events.js:400:28)
Dec 23 15:07:09 hasroot user.notice hsd:     at TCPSocket.fire (/usr/local/hsd/node_modules/bns/lib/internal/net.js:350:17)
Dec 23 15:07:09 hasroot user.notice hsd:     at Parser.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:365:12)
Dec 23 15:07:09 hasroot user.notice hsd:     at Parser.emit (events.js:400:28)
Dec 23 15:07:09 hasroot user.notice hsd:     at Parser.feed (/usr/local/hsd/node_modules/bns/lib/internal/net.js:574:12)
Dec 23 15:07:09 hasroot user.notice hsd:     at Socket.<anonymous> (/usr/local/hsd/node_modules/bns/lib/internal/net.js:396:19)
Dec 23 15:07:09 hasroot user.notice hsd:     at Socket.emit (events.js:400:28)
Dec 23 15:09:27 hasroot local0.err named-handshake-bridge[996]: transfer of './IN (unsigned)' from 127.0.0.9#53: failed while receiving responses: extra input data
Dec 23 15:09:27 hasroot user.notice hsd: [error] (axfr) [127.0.0.1:37721] Transfer cancelled
Dec 23 15:09:27 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .

The Root server middleware resolution failed for name messages only started two days ago (I've not changed anything!!!!) - they seem to be mutually exclusive with the collision messages.

Also, oddly, it seemed to fix itself for a while, then broke again.

My local copy of the ICANN ROOT zone seems to be working fine.

Dec 22 16:12:00 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 16:23:56 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 16:38:00 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 16:52:04 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 17:03:53 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 17:17:34 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 17:31:31 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 17:46:06 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 17:58:52 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 18:13:45 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 18:27:40 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 18:39:06 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 18:52:58 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 22 19:07:24 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 22 19:07:50 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 22 19:09:48 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 22 19:10:25 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 22 20:35:36 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 22 20:36:01 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 22 20:37:59 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 22 20:38:35 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 22 21:09:48 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 22 21:10:15 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 22 21:12:17 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 22 21:12:56 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 22 22:37:15 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 22 22:37:42 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 22 22:39:42 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 22 22:40:20 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 22 23:07:25 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 22 23:07:52 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 22 23:09:52 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 22 23:10:31 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 23 00:35:36 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 00:50:17 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 01:02:35 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 01:14:37 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 01:27:12 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 01:40:27 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 01:52:51 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 02:06:59 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 02:19:59 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 02:33:42 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 02:48:26 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .

I'll change this to info and see what I get - debug is just a little too noisy for me!

      } catch (e) {
        this.logger.warning(
          'Root server middleware resolution failed for name: %s',
          name
        );
        this.logger.debug(e.stack);
      }

lib/dns/server.js [READONLY] line 489 of 809 (60%)

james-stevens commented 2 years ago

Looks like it fixed itself again !

Dec 23 16:29:13 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 16:42:27 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 16:56:44 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 17:10:20 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 17:24:58 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 17:39:24 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 17:52:24 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 18:04:08 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 18:17:12 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 18:29:34 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 18:44:30 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 18:59:04 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 19:12:19 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Dec 23 19:27:17 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 23 19:27:43 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 23 19:29:31 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 23 19:30:06 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 23 20:46:47 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 23 20:47:12 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 23 20:49:02 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 23 20:49:37 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 23 21:21:30 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
Dec 23 21:21:54 hasroot user.notice hsd: [warning] (axfr) name collision for music. (prefer icann: true)
Dec 23 21:23:46 hasroot user.notice hsd: [warning] (axfr) name collision for xn--jlq480n2rg. (prefer icann: true)
Dec 23 21:24:19 hasroot user.notice hsd: [warning] (axfr) name collision for xn--4dbrk0ce. (prefer icann: true)
Dec 23 22:48:14 hasroot user.notice hsd: [warning] (axfr) name collision for xn--cckwcxetd. (prefer icann: true)
james-stevens commented 1 year ago

So long as the axfr works, this prob doesn't matter, but the bind settings I've described above might be useful for others.

I still get Root server middleware resolution failed for name - it seems to be caused by two axfr instances starting at the same time - one works, the other fails with that error - but it looks like the second axfr is getting cancelled anyway .. this is doing the axfr by running dig, so I have no idea why it would run two.

Previously, I was running the axfr directly into bind.

Apr 23 04:44:02 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:48559]  Starting zone transfer
Apr 23 04:44:12 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135]  Starting zone transfer
Apr 23 04:44:16 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135] Records sent 1005
Apr 23 04:44:16 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:48559] Records sent 1005
Apr 23 04:44:16 hasroot user.notice hsd: [error] (axfr) [192.168.3.160:48559] Transfer cancelled
Apr 23 04:44:16 hasroot user.notice hsd: [warning] (ns) Root server middleware resolution failed for name: .
Apr 23 04:44:16 hasroot user.notice hsd: [info] (ns) Error: unable to write message
Apr 23 04:44:16 hasroot user.notice hsd:     at MessageWriter.flush (/usr/local/hsd/axfr/lib/client.js:378:13)
Apr 23 04:44:16 hasroot user.notice hsd:     at async MessageWriter.writeRR (/usr/local/hsd/axfr/lib/client.js:361:7)
Apr 23 04:44:16 hasroot user.notice hsd:     at async Plugin.sendAXFR (/usr/local/hsd/axfr/lib/axfr.js:240:9)
Apr 23 04:44:16 hasroot user.notice hsd:     at async RootServer.Plugin.ns.middle (/usr/local/hsd/axfr/lib/axfr.js:81:16)
Apr 23 04:44:16 hasroot user.notice hsd:     at async RootServer.resolve (/usr/local/hsd/lib/dns/server.js:486:15)
Apr 23 04:44:16 hasroot user.notice hsd:     at async RootServer.answer (/usr/local/hsd/node_modules/bns/lib/server/dns.js:249:17)
Apr 23 04:44:16 hasroot user.notice hsd:     at async RootServer.handle (/usr/local/hsd/node_modules/bns/lib/server/dns.js:316:13)
Apr 23 04:44:16 hasroot user.notice hsd:     at async Server.<anonymous> (/usr/local/hsd/node_modules/bns/lib/server/dns.js:72:9)
Apr 23 04:44:29 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135] Records sent 1974
Apr 23 04:44:40 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135] Records sent 2967
Apr 23 04:44:50 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135] Records sent 3986
Apr 23 04:44:59 hasroot user.notice hsd: [info] (axfr) [192.168.3.160:37135] Records sent 4963
james-stevens commented 1 year ago

Any chance you can enable "Discussions" on this repo, so I can make comments without using "Issues" ?

The comment I wanted to make was, now the Handshake ROOT is so big, and the VAST majority of TLDs will never get any queries, the value of dumping the entire zone is massively diminished. The cost of the zone transfer is so high (without IXFR support), its almost certainly better to run bind set for sending ROOT zone queries to hsd, like I do here

https://github.com/james-stevens/handshake-bind-hns

bind will then cache the answers from hsd, and you can just run more hsd if there's a bottleneck at that point. You could probably also run an extra layer of dedicated ROOT zone caches to reduce the queries sent to hsd.

There's still the issue of getting DNSSEC working, but you're on the case there. Can you just send a NODATA response instead of an NXDOMAIN ?

Also - could you make a version of id.js that worked as a plug-in for hsd - that would be REALLY cool