TCP-Queries which results in NXDOMAIN and DNSSEC enabled are not logged

[tomarcade]

Hi

I have running passivedns on a authoritative server. When querying this server for a non-existing host on a dnssec-enabled zone like "dig @server +tcp dasfasdf.myzone.com +norec +dnssec", then I have two situation:

• when the response and the NSEC3-RRs in the authority-section is "small" (ex. 690 bytes), then passivedns logs the NXDOMAIN entry.
• when querying another domain on the same server and the response and the NSEC3-RRs in the authority-section are "normal" (ex. 1600 bytes), then passivedns don't log the NXDOMAIN entry.

When querying with "+nodnssec" (dig @server +tcp dasfasdf.myzone.com +norec +nodnssec), then the NXDOMAIN is always logged.

I assume, that when the NSEC3-response is hugh enough, then NXDOMAIN isn't logged.

Is this possible? Any hints for this?

Thanks a lot. Tom

[gamelinux]

Hi Tom,

This is very possible :/ The problem is that there is no TCP stream reassembling in passivedns, so it will only parse one packet :/ I have written a new version of passivedns in golang (which I use in production), which deals with all this much better, but I was learning Golang as I wrote it, and I would love to clean up the code and publish it here on github one day. But time...

E

[tomarcade]

Hi Edward

Thanks for your reply. I'll close this issue.