edns client subnet fallback or blacklisting?

2018-01-02 Thread Dan McCombs via Unbound-users 
Hello,

I've come across an authoritative that responds with BADVERS when edns
client subnet is sent in a query to it, for example it can only be
queried with dig if edns is turned off and no subnet is set:

fails:

dig www.tsp.gov @ns2.tsp.gov

; <<>> DiG 9.11.2 <<>> www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 44363
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 18 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:09

fails:

dig +noedns www.tsp.gov @ns2.tsp.gov +subnet=162.88.100.192

; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
+subnet=162.88.100.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 60645
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:21 EST 2018
;; MSG SIZE  rcvd: 23

works:

dig +noedns www.tsp.gov @ns2.tsp.gov

; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50317
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.tsp.gov.   IN  A

;; ANSWER SECTION:
www.tsp.gov.    900 IN  A   74.113.204.129

;; AUTHORITY SECTION:
tsp.gov.    900 IN  NS  ns1.tsp.gov.
tsp.gov.    900 IN  NS  ns2.tsp.gov.

;; ADDITIONAL SECTION:
ns1.tsp.gov.    900 IN  A   74.113.206.34
ns2.tsp.gov.    900 IN  A   74.113.204.34

;; Query time: 19 msec
;; SERVER: 74.113.204.34#53(74.113.204.34)
;; WHEN: Tue Jan 02 15:10:38 EST 2018
;; MSG SIZE  rcvd: 113


When I query this host through an Unbound resolver with edns client
subnet enabled for 0.0.0.0, it returns a SERVFAIL. Removing
send-client-subnet from the Unbound's config allows it to resolve.

Is there any config I'm missing to allow Unbound to fallback to querying
without edns client subnet if a query with it fails? Or is there a way
to blacklist just those authoritatives without having to whitelist all
other subnets?

Thanks,

-Dan

Re: wildcard dnssec test fails

2018-01-02 Thread W.C.A. Wijngaards via Unbound-users 
Hi Viktor,

On 20/12/17 09:15, Viktor Dukhovni via Unbound-users wrote:
> On Tue, Dec 19, 2017 at 06:08:50AM +, Viktor Dukhovni wrote:
> 
>> The original coded uses non-portable undefined overflow behaviour
>> for signed integer arithmetic.  The compiler is free to replace
>> "incep - expi > 0" with "incep > expi".  The intermediate "var"
>> may in some cases avoid the problem, but this is still brittle
>> under optimization.  To avoid non-deterministic behaviour unsigned
>> arithmetic must be used:
>>
>> uint32_t incep;
>> uint32_t expi;
>>
>> /*
>>  * In serial number arithmetic a > b iff as unsigned integers mod 2^32
>>  * we have (a - b) < (b - a)
>>  */
>> if ((incep - expi) < (expi - incep)) {
>>  ... fail ...
>> }
>>
>> The same code should be used for SOA comparisons.
> 
> I should perhaps note that in the RFC1982 definition of sequence
> space arithmetic, two points that are diametrically opposite on
> the circle are not comparable.
> 
> Since such ambiguity should be a failure case, a more precisely
> correct condition is
> 
> if ((incep - expi) <= (expi - incep)) {
>   ... fail ...
> }
> 
> Note that this now also includes incep == expi, which should never
> be the case for RRSIGs, and so for RRSIG failure makes sense for
> both equal and diametrically opposite values.  When comparing SOA
> serials for AXFR (perhaps not something unbound ever needs to do),
> a pair of equal values would of course be treated differently than
> a pair or diametrically opposite values.
> 

Yes you are correct, I have put in a fix in the code.  The fix is based
on code that is present in NSD (that uses unsigned numbers as you suggest).

Thank you for pointing this out, it is much better to use -O2 with clang.

Best regards, Wouter



signature.asc
Description: OpenPGP digital signature