BIND retries w/o edns=0 on servfail response

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Dec 8 07:43:58 UTC 2016 

Hello all,

I've been wondering for years why I get occasional log messages like the
following:

07-Dec-2016 21:06:53.783 dnssec: info:   validating abuse.ch/SOA: got
insecure response; parent indicates it should be secure
07-Dec-2016 21:07:02.984 dnssec: info:   validating abuse.ch/SOA: got
insecure response; parent indicates it should be secure

Note, this is not related to abuse.ch but actually happens frequently to
many other signed zones such as arpa and others.

I started looking into the abuse.ch case specifically and noticed that
if BIND resolver receives a SERVFAIL response from an authoritative name
server it will retry without EDNS0 (and therefore without DO-bit) and if
this response succeeds then we have an unsigned response and BIND cannot
validate it and logs a message as above. See below for some traffic
capture details.

BIND already knows that the expected response for abuse.ch needs to be
signed. So, I wonder if this is a good solution to retry without EDNS0.
Maybe, BIND should differ the retry logic depending whether it expects a
signed response or not. For signed zones, it should retry with the
original request again and maybe then give up, no?

The resolver in question runs BIND 9.11.0-P1.

Thank you,
Daniel



No.     Time                          Source                Destination
         Protocol Length Info
  28680 2016-12-07 21:06:53.599895    130.59.118.78         208.78.70.4
         DNS      112    Standard query 0x8949 A
175.106.143.94.drone.abuse.ch OPT

Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4
User Datagram Protocol, Src Port: 36066, Dst Port: 53
Domain Name System (query)
    [Response In: 28681]
    Transaction ID: 0x8949
    Flags: 0x0000 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        175.106.143.94.drone.abuse.ch: type A, class IN
            Name: 175.106.143.94.drone.abuse.ch
            [Name Length: 29]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 12
            Option: COOKIE

No.     Time                          Source                Destination
         Protocol Length Info
  28681 2016-12-07 21:06:53.765172    208.78.70.4
130.59.118.78         DNS      93     Standard query response 0x8949
Server failure A 175.106.143.94.drone.abuse.ch

802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0
Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78
User Datagram Protocol, Src Port: 53, Dst Port: 36066
Domain Name System (response)
    [Request In: 28680]
    [Time: 0.165277000 seconds]
    Transaction ID: 0x8949
    Flags: 0x8002 Standard query response, Server failure
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority
for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do
recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0010 = Reply code: Server failure (2)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        175.106.143.94.drone.abuse.ch: type A, class IN
            Name: 175.106.143.94.drone.abuse.ch
            [Name Length: 29]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)



No.     Time                          Source                Destination
         Protocol Length Info
  28682 2016-12-07 21:06:53.765385    130.59.118.78         208.78.70.4
         DNS      89     Standard query 0x8388 A
175.106.143.94.drone.abuse.ch

Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4
User Datagram Protocol, Src Port: 60678, Dst Port: 53
Domain Name System (query)
    [Response In: 28683]
    Transaction ID: 0x8388
    Flags: 0x0000 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        175.106.143.94.drone.abuse.ch: type A, class IN
            Name: 175.106.143.94.drone.abuse.ch
            [Name Length: 29]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)

No.     Time                          Source                Destination
         Protocol Length Info
  28683 2016-12-07 21:06:53.783538    208.78.70.4
130.59.118.78         DNS      156    Standard query response 0x8388 No
such name A 175.106.143.94.drone.abuse.ch SOA ns1.p04.dynect.net

802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0
Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78
User Datagram Protocol, Src Port: 53, Dst Port: 60678
Domain Name System (response)
    [Request In: 28682]
    [Time: 0.018153000 seconds]
    Transaction ID: 0x8388
    Flags: 0x8403 Standard query response, No such name
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for
domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do
recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0011 = Reply code: No such name (3)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 0
    Queries
        175.106.143.94.drone.abuse.ch: type A, class IN
            Name: 175.106.143.94.drone.abuse.ch
            [Name Length: 29]
            [Label Count: 7]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Authoritative nameservers
        abuse.ch: type SOA, class IN, mname ns1.p04.dynect.net
            Name: abuse.ch
            Type: SOA (Start Of a zone of Authority) (6)
            Class: IN (0x0001)
            Time to live: 1800
            Data length: 51
            Primary name server: ns1.p04.dynect.net
            Responsible authority's mailbox: dnsadmin.abuse.ch
            Serial Number: 2016120100
            Refresh Interval: 3600 (1 hour)
            Retry Interval: 600 (10 minutes)
            Expire limit: 604800 (7 days)
            Minimum TTL: 1800 (30 minutes)

More information about the bind-users mailing list