Bug 1344

Summary: RFC6761-reserved domains: test. and invalid.
Product: unbound Reporter: Vladimír Čunát <vladimir.cunat>
Component: serverAssignee: unbound team <unbound-team>
Severity: enhancement CC: cathya, edmonds, wouter
Priority: P5    
Version: 1.6.4   
Hardware: All   
OS: All   

Description Vladimír Čunát 2017-07-11 15:12:19 CEST
When queried for either test. or invalid. , Unbound in default setup asks the root servers, and that SHOULD NOT happen - see bullets 6.2.4 and 6.4.4 of RFC6761.
Comment 1 Wouter Wijngaards 2017-07-11 15:28:23 CEST
Hi Vladimir,

Thank you!  I fixed that, and also added that to our documentation.

It is handled just like onion.

Best regards, Wouter
Comment 2 Vladimír Čunát 2017-07-11 15:30:30 CEST
Lightning fast :-)
Comment 3 Vladimír Čunát 2017-07-11 15:44:24 CEST
As you mention onion. - unbound 1.6.4 is giving me NODATA but RFC7686 2.4 specifies NXDOMAIN.  (I can't easily see SVN history to look at the changes conveniently.)
Comment 4 Wouter Wijngaards 2017-07-11 15:53:45 CEST
Hi Vladimir,

Unbound creates a SOA and NS record for the domain.  That makes the other names NXDOMAIN, but queries for onion. A or something like that NODATA.  I thought that was allright?  It is possible to return NXDOMAIN without a SOA record from a configuration point of view.

Best regards, Wouter
Comment 5 Vladimír Čunát 2017-07-11 15:57:59 CEST
The RFC seems to be clear to answer NXDOMAIN even for onion. itself.  I didn't try to find out why.
Comment 6 Vladimír Čunát 2017-07-11 16:14:43 CEST
Another related thing: RFC6761 sec. 6.3 reads to us as if resolvers should reply with address records even to foo.bar.localhost. even though it feels strange to me.  Unbound currently considers it localhost. a leaf domain - are you sure about that?
Comment 7 Wouter Wijngaards 2017-07-11 16:30:03 CEST
Hi Vladimir,

Yes reads like that to me too, but I don't understand why.  Can change it of course, fixed that in code.

Best regards, Wouter
Comment 8 Robert Edmonds 2017-07-11 19:23:00 CEST

RFC 7686 says:

   4.  Caching DNS Servers: Caching servers, where not explicitly
       adapted to interoperate with Tor, SHOULD NOT attempt to look up
       records for .onion names.  They MUST generate NXDOMAIN for all
       such queries.

From reading the introduction section, I think ".onion names" means the special "<foo>.onion" names used by the Tor network. It doesn't seem to include the single-label DNS name "onion.". So I think Unbound's current behavior is correct.
Comment 9 Vladimír Čunát 2017-07-12 14:11:56 CEST
To me that interpretation is undermined by the title and abstract mentioning ".onion" name in singular, and also by appearing similar to RFC6761 statements for other special-use TLDs that always (explicitly) include the TLD domain.

Still, I currently can't see any practical significance of whether onion itself should behave as non-existing or an empty (minimal) zone.