Hi,
we are tracking/debugging [1][2] an issue that results in the failure of
certificate renewal (ACME DNS challenge).
If you ask unbound 1.17.1 the query shown below when it has an empty
cache you get an NXDOAMIN reply, if you ask it again you will get the
actual expected answer (NOERROR), PowerDNS Recursor does not have that
issue.
Investigating the DNS traffic has also shown that
the stub -> unbound CNAME query results in an unbound -> authoritative A
qtype query instead of a CNAME query.
Can you reproduce this issue and confirm this is unexpected?
thanks!
Christoph
dig _acme-challenge.bender-doh.applied-privacy.net CNAME
; <<>> DiG 9.18.13 <<>> _acme-challenge.bender-doh.applied-privacy.net CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20502
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.bender-doh.applied-privacy.net. IN CNAME
;; ANSWER SECTION:
_acme-challenge.bender-doh.applied-privacy.net. 86400 IN CNAME
bender-doh.acme-dns-challenge.applied-privacy.net.
;; AUTHORITY SECTION:
acme-dns-challenge.applied-privacy.net. 300 IN SOA get.desec.io.
get.desec.io. 2023035286 86400 3600 2419200 3600
;; Query time: 114 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; MSG SIZE rcvd: 167
#############################
query (stub -> recursor):
#############################
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Domain Name System (query)
Transaction ID: 0x5016
Flags: 0x0120 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
_acme-challenge.bender-doh.applied-privacy.net: type CNAME,
class IN
Name: _acme-challenge.bender-doh.applied-privacy.net
[Name Length: 46]
[Label Count: 4]
Type: CNAME (Canonical NAME for an alias) (5)
Class: IN (0x0001)
Additional records
#############################
response (unbound -> stub)
#############################
Domain Name System (response)
Transaction ID: 0x5016
Flags: 0x81a3 Standard query response, No such name
Questions: 1
Answer RRs: 1
Authority RRs: 1
Additional RRs: 1
Queries
_acme-challenge.bender-doh.applied-privacy.net: type CNAME,
class IN
Name: _acme-challenge.bender-doh.applied-privacy.net
[Name Length: 46]
[Label Count: 4]
Type: CNAME (Canonical NAME for an alias) (5)
Class: IN (0x0001)
Answers
Authoritative nameservers
Additional records
#############################
query: unbound -> authoritive qtype: A? (instead of CNAME)
#############################
Internet Protocol Version 6, Dst: 2607:f740:e633:deec::2
User Datagram Protocol, Src Port: 37183, Dst Port: 53
Domain Name System (query)
Transaction ID: 0x46ba
Flags: 0x0010 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
_ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
[Name Length: 46]
[Label Count: 4]
Type: A (Host Address) (1) <<<<<<<<<
Class: IN (0x0001)
Additional records
[Response In: 2688]
#############################
query: authoritive -> unbound
#############################
Domain Name System (response)
Transaction ID: 0x46ba
Flags: 0x8403 Standard query response, No such name
Questions: 1
Answer RRs: 2
Authority RRs: 6
Additional RRs: 1
Queries
_ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
[Name Length: 46]
[Label Count: 4]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
_ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type CNAME,
class IN, cname bender-doh.acme-dns-challenge.apPLIED-privacY.neT
Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
Type: CNAME (Canonical NAME for an alias) (5)
Class: IN (0x0001)
Time to live: 86400 (1 day)
Data length: 32
CNAME: bender-doh.acme-dns-challenge.apPLIED-privacY.neT
_ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type RRSIG,
class IN
Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
Type: RRSIG (Resource Record Signature) (46)
Class: IN (0x0001)
Time to live: 86400 (1 day)
Data length: 103
Type Covered: CNAME (Canonical NAME for an alias) (5)
Algorithm: ECDSA Curve P-256 with SHA-256 (13)
Labels: 4
Original TTL: 86400 (1 day)
Signature Expiration: Apr 6, 2023 02:00:00.000000000 CEST
Signature Inception: Mar 16, 2023 01:00:00.000000000 CET
Key Tag: 38828
Signer's name: applied-privacy.net
Signature:
6ccde8920251717107ff82cbe6edbeda2723c8604f42d6914af643c2a84f5489db8e6972…
Authoritative nameservers
Additional records
################################
same query to a PowerDNS Recursor
results in the expected NOERROR
################################
dig @109.70.100.136 _acme-challenge.bender-doh.applied-privacy.net CNAME
; <<>> DiG 9.18.13 <<>> @109.70.100.136
_acme-challenge.bender-doh.applied-privacy.net CNAME
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51569
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.bender-doh.applied-privacy.net. IN CNAME
;; ANSWER SECTION:
_acme-challenge.bender-doh.applied-privacy.net. 86400 IN CNAME
bender-doh.acme-dns-challenge.applied-privacy.net.
;; Query time: 40 msec
;; SERVER: 109.70.100.136#53(109.70.100.136) (UDP)
;; MSG SIZE rcvd: 119
[1] https://mailman.powerdns.com/pipermail/pdns-users/2023-March/028156.html
[2] https://github.com/go-acme/lego/issues/1739
