CNAME resolution weirdness
Mark Andrews
marka at isc.org
Tue Jul 26 06:00:00 UTC 2022
> On 25 Jul 2022, at 19:01, Boian Bonev via bind-users <bind-users at lists.isc.org> wrote:
>
> Hello,
>
> For the Devuan project we use a DNS round robin for mirrors - deb.devuan.org.
> Mostly for cleanliness and separation which part is maintained by humans and
> which by tools, there is a separate zone rr.devuan.org fully maintained by
> tools. deb.devuan.org is CNAME of deb.rr.devuan.org, which in turn is the list
> of all up-to-date mirrors' A and AAAA. The master DNS server is not publicly
> visible and the only visible ones are authoritative slaves (for both zones).
>
> The weird part is that bind is replying with CNAME and AAAA records only (using
> host, because it has shorter output, result is same with other tools):
host really isn’t a good tool for debugging DNS traffic. Please use DiG which shows
everything.
Running tcpdump shows the multiple queries host makes. Note the QNAME changes.
% tcpdump -n port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on en0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:29:18.983535 IP6 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.54109 > 2a01:9e40::108.53: 44377+ A? deb.devuan.org. (32)
01:29:19.092039 IP6 2a01:9e40::108.53 > 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.54109: 44377*- 1/0/0 CNAME deb.rr.devuan.org. (63)
01:29:19.093033 IP6 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.54607 > 2a01:9e40::108.53: 31302+ AAAA? deb.rr.devuan.org. (35)
01:29:19.201672 IP6 2a01:9e40::108.53 > 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.54607: 31302*- 12/0/0 AAAA 2001:4ca0:4300::1:19, AAAA 2001:e42:102:1704:160:16:137:156, AAAA 2801:82:80ff:8000::2, AAAA 2a01:4f8:140:1102:2b76:955d:b48f:bdf3, AAAA 2a01:4f8:162:7293::14, AAAA 2001:4190:801c:1::150, AAAA 2a01:9e40::180, AAAA 2a02:2a38:1:400:422a:422a:422a:422a, AAAA 2a0a:e5c0:2:2:400:c8ff:fe68:bef3, AAAA 2001:638:a000:1021:21::1, AAAA 2a01:4f9:2a:fa9::2, AAAA 2607:5300:61:95f:7283:11d9:f86:e691 (371)
01:29:19.202469 IP6 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.62000 > 2a01:9e40::108.53: 16829+ MX? deb.rr.devuan.org. (35)
01:29:19.312657 IP6 2a01:9e40::108.53 > 2001:67c:1232:144:6ddf:f5a7:a8a9:b002.62000: 16829*- 0/1/0 (106)
% dig deb.devuan.org @2a01:9e40::108 a
; <<>> DiG 9.19.3-dev <<>> deb.devuan.org @2a01:9e40::108 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3669
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4c881a05e8d0d67e0100000062df7d9d14cff2105c68ceef (good)
;; QUESTION SECTION:
;deb.devuan.org. IN A
;; ANSWER SECTION:
deb.devuan.org. 86400 IN CNAME deb.rr.devuan.org.
;; Query time: 108 msec
;; SERVER: 2a01:9e40::108#53(2a01:9e40::108) (UDP)
;; WHEN: Tue Jul 26 01:37:33 EDT 2022
;; MSG SIZE rcvd: 102
%
But given the server is also configured for deb.rr.devuan.org it
should have returned the A records according to RFC 1034. These
days some implementations don’t restart the query on CNAME if
recursion is not allowed to reduce accidental cache poisoning when
you are hosting 10’s of thousands of zones and one hasn’t been
de-configured that should have been.
% dig deb.rr.devuan.org @2a01:9e40::108 a
; <<>> DiG 9.19.3-dev <<>> deb.rr.devuan.org @2a01:9e40::108 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49302
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6ab212f392963d8d0100000062df7d7ce4013a042403638f (good)
;; QUESTION SECTION:
;deb.rr.devuan.org. IN A
;; ANSWER SECTION:
deb.rr.devuan.org. 1800 IN A 185.38.15.81
deb.rr.devuan.org. 1800 IN A 185.203.114.135
deb.rr.devuan.org. 1800 IN A 131.188.12.211
deb.rr.devuan.org. 1800 IN A 46.4.50.2
deb.rr.devuan.org. 1800 IN A 160.16.137.156
deb.rr.devuan.org. 1800 IN A 200.236.31.1
deb.rr.devuan.org. 1800 IN A 141.84.43.19
deb.rr.devuan.org. 1800 IN A 125.228.189.120
deb.rr.devuan.org. 1800 IN A 95.216.15.86
deb.rr.devuan.org. 1800 IN A 158.69.153.121
deb.rr.devuan.org. 1800 IN A 89.174.102.150
deb.rr.devuan.org. 1800 IN A 5.9.122.185
deb.rr.devuan.org. 1800 IN A 185.183.113.131
deb.rr.devuan.org. 1800 IN A 185.178.192.43
deb.rr.devuan.org. 1800 IN A 195.85.215.180
;; Query time: 109 msec
;; SERVER: 2a01:9e40::108#53(2a01:9e40::108) (UDP)
;; WHEN: Tue Jul 26 01:37:00 EDT 2022
;; MSG SIZE rcvd: 314
%
Host is assuming RFC 1034 behaviour in the server but it hasn’t got it.
That is why the A RRset is not shown as it doesn’t re-query for it.
Recursive servers will re-query for the CNAME target so in practice
this doesn’t cause major issues. Host also makes multiple queries
using the CNAME target.
% host -t A deb.devuan.org ns4.devuan.dev
Using domain server:
Name: ns4.devuan.dev
Address: 2a01:9e40::108#53
Aliases:
deb.devuan.org is an alias for deb.rr.devuan.org.
%
% host -t AAAA deb.devuan.org ns4.devuan.dev
Using domain server:
Name: ns4.devuan.dev
Address: 2a01:9e40::108#53
Aliases:
deb.devuan.org is an alias for deb.rr.devuan.org.
%
> # host deb.devuan.org ns4.devuan.dev
> Using domain server:
> Name: ns4.devuan.dev
> Address: 2a01:9e40::108#53
> Aliases:
>
> deb.devuan.org is an alias for deb.rr.devuan.org.
> deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2
> deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150
> deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3
> deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2
> deb.rr.devuan.org has IPv6 address 2a01:9e40::180
> deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14
> deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156
> deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3
> deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691
> deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1
> deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19
> deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a
>
> # nslookup -class=CHAOS -type=txt version.bind ns4.devuan.dev
> Server: ns4.devuan.dev
> Address: 2a01:9e40::108#53
>
> version.bind text = "9.16.27-Debian"
>
> I did check with RFC 1034 and the above does not look like a proper reply as
> per my understanding. If bind does not see itself as auth for rr.devuan.org, it
> should reply only with the CNAME, else it should include the A records too.
>
> I have tried various options - enabling recursion makes it behave correctly but
> that is not an option for a public DNS. Replacing bind with nsd also fixes the
> behavior. As a side note knot behaves exactly like bind. I would prefer to run
> different software across the slaves. The next thing was to try with the most
> recent Debian package from the testing distribution:
>
> The only related option in named.conf.options is "recursion no;"
>
> # host deb.devuan.org 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> deb.devuan.org is an alias for deb.rr.devuan.org.
> deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1
> deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3
> deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2
> deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19
> deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156
> deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14
> deb.rr.devuan.org has IPv6 address 2001:878:346::116
> deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150
> deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2
> deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3
> deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691
> deb.rr.devuan.org has IPv6 address 2a01:9e40::180
> deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a
>
> # nslookup -class=CHAOS -type=txt version.bind 127.0.0.1
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> version.bind text = "9.18.4-2-Debian"
>
>
> Please advise what is happening - is that expected behavior, a configuration
> option is missing or there is a bug in bind?
>
> With best regards,
> b.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list