Hi Hauke, This behaviour is caused by the same bug as reported in bugzilla ticket #4147, for which I just committed a fix.
Thanks for reporting, -- Ralph On 15-08-18 01:46, Hauke Lampe via Unbound-users wrote: > Hi. > > I read reports about qname minimisation and SERVFAIL responses in the > list archive, but maybe this is different. > > For me, the problem is NXDOMAIN responses for a CNAME query where the > CNAME itself exists but its target does not and the record is not in the > cache. Unbound version is 1.7.3. > > I'm a bit unclear on what the correct response to explicit CNAME queries > should be. The queries are made by a script to find the right hostname > for dynamic updates. > > On an empty cache, the query returns NXDOMAIN with the CNAME in the > answer section: > > | # unbound-control flush_zone openchaos.org > | ok removed 31 rrsets, 12 messages and 4 key entries > | > | # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4 > | > | ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME > | ;; global options: +cmd > | ;; Got answer: > | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23947 > | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > | > | ;; OPT PSEUDOSECTION: > | ; EDNS: version: 0, flags:; udp: 65432 > | ;; QUESTION SECTION: > | ;_acme-challenge.dnsdist.openchaos.org. IN CNAME > | > | ;; ANSWER SECTION: > | _acme-challenge.dnsdist.openchaos.org. 3600 IN CNAME > dnsdist._acme-challenge.openchaos.org. > | > | ;; AUTHORITY SECTION: > | _acme-challenge.openchaos.org. 60 IN SOA ns2.hauke-lampe.de. > hostmaster.hauke-lampe.de. 13 86400 10800 604800 60 > > The _acme-challenge subdomain is unsigned, so I guess that explains the > "DNSSEC LAME" messages in the log? Why is unbound trying to follow the > CNAME, anyway? > > | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: resolving org. DNSKEY IN > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <org.> 199.19.53.1#53 > | unbound: query response was REFERRAL > | unbound: resolving openchaos.org. DNSKEY IN > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53 > | unbound: query response was ANSWER > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <openchaos.org.> 85.10.240.254#53 > | unbound: query response was CNAME > | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53 > | unbound: query response was DNSSEC LAME > | unbound: response for openchaos.org. DNSKEY IN > | unbound: reply from <openchaos.org.> 89.18.172.35#53 > | unbound: query response was ANSWER > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <openchaos.org.> 2400:6180:0:d0::12:6002#53 > | unbound: query response was REFERRAL > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <_acme-challenge.openchaos.org.> 85.10.240.254#53 > | unbound: query response was NXDOMAIN ANSWER > | unbound: validated DS openchaos.org. DS IN > | unbound: resolving openchaos.org. DNSKEY IN > | unbound: validated DNSKEY openchaos.org. DNSKEY IN > | unbound: validate(cname): sec_status_secure > | unbound: NSEC RRset for the referral proved no DS. > | unbound: Verified that unsigned response is INSECURE > > > A while later, the same query results in NOERROR (+ad flag) from the cache: > > | # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4 > | > | ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME > | ;; global options: +cmd > | ;; Got answer: > | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17071 > | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > | > | ;; OPT PSEUDOSECTION: > | ; EDNS: version: 0, flags:; udp: 65432 > | ;; QUESTION SECTION: > | ;_acme-challenge.dnsdist.openchaos.org. IN CNAME > | > | ;; ANSWER SECTION: > | _acme-challenge.dnsdist.openchaos.org. 3426 IN CNAME > dnsdist._acme-challenge.openchaos.org. > > | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: validate(positive): sec_status_secure > | unbound: validation success _acme-challenge.dnsdist.openchaos.org. > CNAME IN > > > With qname-minimisation disabled, the answer is always NOERROR. The log > suggests that unbound doesn't even try to follow the CNAME: > > | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: resolving org. DNSKEY IN > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <org.> 2001:500:40::1#53 > | unbound: query response was REFERRAL > | unbound: resolving openchaos.org. DNSKEY IN > | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN > | unbound: reply from <openchaos.org.> 85.10.240.254#53 > | unbound: query response was ANSWER > | unbound: validated DS openchaos.org. DS IN > | unbound: response for openchaos.org. DNSKEY IN > | unbound: reply from <openchaos.org.> 2605:6400:2:fed5:22:0:febc:b1d0#53 > | unbound: query response was ANSWER > | unbound: validated DNSKEY openchaos.org. DNSKEY IN > | unbound: validate(positive): sec_status_secure > | unbound: validation success _acme-challenge.dnsdist.openchaos.org. > CNAME IN > > ( BIND 9.13.2 with "qname-minimization strict" also returns NOERROR ) > > > Hauke. > >
