Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

Jesus Cea jcea at jcea.es
Thu Jun 1 23:52:36 UTC 2023 

On 1/6/23 17:00, Ondřej Surý wrote:
>  From top of my head - try disabling QNAME minimization.

I don't see the relevance but I tried "qname-minimization off" in my 
configuration. No changes, I still see the SERVFAIL.

I insist this is not a bug in BIND. The original domain is 
misconfigured. But this misconfiguration is pretty common and resolvers 
like 8.8.8.8, 1.1.1.1, 9.9.9.9 just ignore the issue and provide a nice 
(and wrong, I agree) "NOERROR" reply. They are faulty, not BIND. But my 
clients do not agree: "it works fine with google/cloudflare/infoblox, 
you give back a SERVFAIL, goodbye until you fix it, rookie!".

You can see the issue yourself doing:

     dig -t AAAA @YOUR_DNS_SERVER_IP oauth-login.cloud.huawei.com

If you are using BIND you will see a SERVFAIL. Then try with 8.8.8.8, 
1.1.1.1, 9.9.9.9 and whoever other open DNS resolver you know about. 
Compare the results.

All big ISP resolvers I tried in Spain give back a NOERROR. Universities 
too.

This issue was described perfectly in this mailing list a couple of 
years ago: 
https://lists.isc.org/pipermail/bind-users/2021-January/104064.html

This huawei misconfiguration is quite common around and since big DNS 
players just accept it, I am having a quite hard time defending that 
BIND is actually doing the right thing.

For instance, a few examples from my logs(only a few seconds of them!). 
There are MANY MANY more. Try requesting AAAA for (using your BIND 
server and the 8.8.8.8):

aes.orange.es
api.mediago.io
appmimovistar.movistar.es
eneotecnologia.com
epns.eset.com
t3pub.movistar.es
trace-eu.mediago.io
trace.mediago.io

I can provide a quite long list if requested.

Studying the sourcecode, I see this in "lib/dns/resolver.c":

"""
     if (!dns_name_issubdomain(&fctx->name, &fctx->domain)) {
         dns_name_format(&fctx->domain, buf, sizeof(buf));
         UNEXPECTED_ERROR(__FILE__, __LINE__,
                  "'%s' is not subdomain of '%s'", fctx->info,
                  buf);
         result = ISC_R_UNEXPECTED;
         goto cleanup_fcount;
     }
"""

Nothing there looks like can be configured, beside just deleting that 
code and recompiling.

There are QNAME minimization code down the same function, but the code 
doesn't reach there, the error is generated before getting there. So no, 
"qname-minimization off" doesn't solve this.

-- 
Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
jabber / xmpp:jcea at jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

More information about the bind-users mailing list