BIND retries w/o edns=0 on servfail response
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Dec 8 07:43:58 UTC 2016
Hello all,
I've been wondering for years why I get occasional log messages like the
following:
07-Dec-2016 21:06:53.783 dnssec: info: validating abuse.ch/SOA: got
insecure response; parent indicates it should be secure
07-Dec-2016 21:07:02.984 dnssec: info: validating abuse.ch/SOA: got
insecure response; parent indicates it should be secure
Note, this is not related to abuse.ch but actually happens frequently to
many other signed zones such as arpa and others.
I started looking into the abuse.ch case specifically and noticed that
if BIND resolver receives a SERVFAIL response from an authoritative name
server it will retry without EDNS0 (and therefore without DO-bit) and if
this response succeeds then we have an unsigned response and BIND cannot
validate it and logs a message as above. See below for some traffic
capture details.
BIND already knows that the expected response for abuse.ch needs to be
signed. So, I wonder if this is a good solution to retry without EDNS0.
Maybe, BIND should differ the retry logic depending whether it expects a
signed response or not. For signed zones, it should retry with the
original request again and maybe then give up, no?
The resolver in question runs BIND 9.11.0-P1.
Thank you,
Daniel
No. Time Source Destination
Protocol Length Info
28680 2016-12-07 21:06:53.599895 130.59.118.78 208.78.70.4
DNS 112 Standard query 0x8949 A
175.106.143.94.drone.abuse.ch OPT
Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4
User Datagram Protocol, Src Port: 36066, Dst Port: 53
Domain Name System (query)
[Response In: 28681]
Transaction ID: 0x8949
Flags: 0x0000 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
175.106.143.94.drone.abuse.ch: type A, class IN
Name: 175.106.143.94.drone.abuse.ch
[Name Length: 29]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 4096
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x8000
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 12
Option: COOKIE
No. Time Source Destination
Protocol Length Info
28681 2016-12-07 21:06:53.765172 208.78.70.4
130.59.118.78 DNS 93 Standard query response 0x8949
Server failure A 175.106.143.94.drone.abuse.ch
802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0
Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78
User Datagram Protocol, Src Port: 53, Dst Port: 36066
Domain Name System (response)
[Request In: 28680]
[Time: 0.165277000 seconds]
Transaction ID: 0x8949
Flags: 0x8002 Standard query response, Server failure
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0010 = Reply code: Server failure (2)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
175.106.143.94.drone.abuse.ch: type A, class IN
Name: 175.106.143.94.drone.abuse.ch
[Name Length: 29]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
No. Time Source Destination
Protocol Length Info
28682 2016-12-07 21:06:53.765385 130.59.118.78 208.78.70.4
DNS 89 Standard query 0x8388 A
175.106.143.94.drone.abuse.ch
Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4
User Datagram Protocol, Src Port: 60678, Dst Port: 53
Domain Name System (query)
[Response In: 28683]
Transaction ID: 0x8388
Flags: 0x0000 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
175.106.143.94.drone.abuse.ch: type A, class IN
Name: 175.106.143.94.drone.abuse.ch
[Name Length: 29]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
No. Time Source Destination
Protocol Length Info
28683 2016-12-07 21:06:53.783538 208.78.70.4
130.59.118.78 DNS 156 Standard query response 0x8388 No
such name A 175.106.143.94.drone.abuse.ch SOA ns1.p04.dynect.net
802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0
Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78
User Datagram Protocol, Src Port: 53, Dst Port: 60678
Domain Name System (response)
[Request In: 28682]
[Time: 0.018153000 seconds]
Transaction ID: 0x8388
Flags: 0x8403 Standard query response, No such name
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for
domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0011 = Reply code: No such name (3)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
175.106.143.94.drone.abuse.ch: type A, class IN
Name: 175.106.143.94.drone.abuse.ch
[Name Length: 29]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
Authoritative nameservers
abuse.ch: type SOA, class IN, mname ns1.p04.dynect.net
Name: abuse.ch
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 1800
Data length: 51
Primary name server: ns1.p04.dynect.net
Responsible authority's mailbox: dnsadmin.abuse.ch
Serial Number: 2016120100
Refresh Interval: 3600 (1 hour)
Retry Interval: 600 (10 minutes)
Expire limit: 604800 (7 days)
Minimum TTL: 1800 (30 minutes)
More information about the bind-users
mailing list