Observation: BIND 9.18 qname-minimization strict vs dig +trace
Fred Morris
m3047 at m3047.net
Fri Apr 26 17:26:09 UTC 2024
As further data points with BIND as a caching / recursive sometimes it
"works" and provides inconsistent AUTHORITY, although anecdata suggests
this is more prevalent with older versions of BIND. In one case BIND
9.12 reports the AUTHORITY as the parent zone in fact, with the parent's
nameservers.
The facts are:
* 191.131.in-addr.arpa is served from awsdns
* It delegates 85.191.131.in-addr.arpa with fs838.click-network.com
and ns102.click-network.com above the zone cut.
* Below the zone cut the nameserver claims to be authoritative for its
parent's zone (191.131.in-addr.arpa) instead of
85.191.131.in-addr.arpa. (In other words it's lame.)
* (Below the zone cut it also erroneously advertises one of its
nameservers as simply ns102. instead of ns102.click-network.com)
* There is no server which actually advertises itself as authoritative
for 85.191.131.in-addr.arpa
9.18.21 with "qname-minimization disabled; minimal-responses no;":
; <<>> DiG 9.18.21 <<>> @127.0.0.1 -x 131.191.85.31
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45088
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: 95f68497698c23e201000000662bd448c6b1f33814567a34 (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 604800 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
85.191.131.in-addr.arpa. 1799 IN NS ns102.click-network.com.
85.191.131.in-addr.arpa. 1799 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172799 IN A 131.191.7.194
ns102.click-network.com. 172799 IN A 131.191.7.12
;; Query time: 1620 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 09:20:24 PDT 2024
;; MSG SIZE rcvd: 201
9.12.3 offering two different responses:
; <<>> DiG 9.12.3-P1 <<>> -x 131.191.85.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20212
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 22623b3f260659f6699dc2ae662bcf96945739b2062b578d (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 183024 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
191.131.in-addr.arpa. 49595 IN NS ns-986.awsdns-59.net.
191.131.in-addr.arpa. 49595 IN NS ns-7.awsdns-00.com.
191.131.in-addr.arpa. 49595 IN NS ns-1603.awsdns-08.co.uk.
191.131.in-addr.arpa. 49595 IN NS ns-1165.awsdns-17.org.
;; ADDITIONAL SECTION:
ns-7.awsdns-00.com. 106009 IN A 205.251.192.7
ns-986.awsdns-59.net. 110789 IN A 205.251.195.218
ns-1165.awsdns-17.org. 110789 IN A 205.251.196.141
ns-1603.awsdns-08.co.uk. 110789 IN A 205.251.198.67
;; Query time: 1 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Apr 26 09:00:22 PDT 2024
;; MSG SIZE rcvd: 334
----
; <<>> DiG 9.12.3-P1 <<>> -x 131.191.85.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42172
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 166de4c8b3f9b189d0aad8b9662bd608135dc2782eb1138a (good)
;; QUESTION SECTION:
;31.85.191.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.85.191.131.in-addr.arpa. 181374 IN PTR flame.m3047.net.
;; AUTHORITY SECTION:
85.191.131.in-addr.arpa. 1794 IN NS ns102.click-network.com.
85.191.131.in-addr.arpa. 1794 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 294 IN A 131.191.7.194
ns102.click-network.com. 294 IN A 131.191.7.12
;; Query time: 1 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Apr 26 09:27:52 PDT 2024
;; MSG SIZE rcvd: 201
Housekeeping: the version of DiG above also changes, but this is not
simply the version of dig:
# dig @127.0.0.1 version.bind ch txt +short
"9.18.21"
# dig version.bind ch txt +short
"9.12.3-P1"
There are other oddities, for instance the actual authoritative TTL for
the nameservers appears to be 300 not 172799:
# rndc flush
# dig @127.0.0.1 click-network.com ns
; <<>> DiG 9.18.21 <<>> @127.0.0.1 click-network.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6461
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: 64bf6532b614ec2101000000662be018a98c6134e8cea676 (good)
;; QUESTION SECTION:
;click-network.com. IN NS
;; ANSWER SECTION:
click-network.com. 300 IN NS ns102.
click-network.com. 300 IN NS ns102.click-network.com.
click-network.com. 300 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172800 IN A 131.191.7.194
ns102.click-network.com. 172800 IN A 131.191.7.12
;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 10:10:48 PDT 2024
;; MSG SIZE rcvd: 165
# dig @127.0.0.1 ns102.click-network.com
; <<>> DiG 9.18.21 <<>> @127.0.0.1 ns102.click-network.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10463
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1420
; COOKIE: b75215ce03b76bd301000000662be03e0d2a5a9b6ab5e6d1 (good)
;; QUESTION SECTION:
;ns102.click-network.com. IN A
;; ANSWER SECTION:
ns102.click-network.com. 300 IN A 131.191.7.12
;; AUTHORITY SECTION:
click-network.com. 262 IN NS fs838.click-network.com.
click-network.com. 262 IN NS ns102.click-network.com.
click-network.com. 262 IN NS ns102.
;; ADDITIONAL SECTION:
fs838.click-network.com. 172762 IN A 131.191.7.194
;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 26 10:11:26 PDT 2024
;; MSG SIZE rcvd: 165
# dig @ns102.click-network.com ns102.click-network.com +norecurse
; <<>> DiG 9.18.21 <<>> @ns102.click-network.com ns102.click-network.com +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18892
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4208cbc13560fc4325c45599662be069b466b23a5890f8d2 (good)
;; QUESTION SECTION:
;ns102.click-network.com. IN A
;; ANSWER SECTION:
ns102.click-network.com. 300 IN A 131.191.7.12
;; AUTHORITY SECTION:
click-network.com. 300 IN NS ns102.
click-network.com. 300 IN NS ns102.click-network.com.
click-network.com. 300 IN NS fs838.click-network.com.
;; ADDITIONAL SECTION:
fs838.click-network.com. 300 IN A 131.191.7.194
;; Query time: 24 msec
;; SERVER: 131.191.7.12#53(ns102.click-network.com) (UDP)
;; WHEN: Fri Apr 26 10:12:09 PDT 2024
;; MSG SIZE rcvd: 165
I don't know what broader implications might accrue. Since Rainier
Connect / Lightcurve hasn't seen fit to fix it or get back to me in
nearly a full business week I suspect they like it this way. However it
doesn't comport with the principle of least surprise. The City of Tacoma
doesn't seem to care that the licensee operating in a portion of their
/16 is impersonating them (although as a consequence of the reputation
service they use they won't accept emails from the block inquiring about
it).
--
Fred Morris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240426/f676ecb0/attachment-0001.htm>
More information about the bind-users
mailing list