Bug 4147 - dig CNAME broken since commit 2be0263dfa72f314c4cb61599f1ec7e90784da9c
dig CNAME broken since commit 2be0263dfa72f314c4cb61599f1ec7e90784da9c
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.7.3
x86_64 Linux
: P5 critical
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-16 17:20 CEST by Alex
Modified: 2018-08-17 15:24 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex 2018-08-16 17:20:13 CEST
Hello,

I have an issue with CNAME since this patch :
 =>  https://github.com/NLnetLabs/unbound/commit/2be0263dfa72f314c4cb61599f1ec7e90784da9c

I'm using unbound 1.7.3 with qname-minimisation: yes.
The problem only occurs if i ask for a CNAME on a domain having DNSSEC activated. 

First call is OK. 
If i asked before TTL expiration, it's OK.
But once TTL is expired, it says SERVFAIL.

Here is how to reproduce : 

unbound ~ # systemctl restart unbound
unbound ~ # date && dig CNAME static.minims.eu
Thu Aug 16 17:13:08 CEST 2018

; <<>> DiG 9.10.3-P4-Debian <<>> CNAME static.minims.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43224
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.minims.eu.              IN      CNAME

;; ANSWER SECTION:
static.minims.eu.       60      IN      CNAME   ftp.300gp.ovh.net.

;; Query time: 806 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Thu Aug 16 17:13:09 CEST 2018
;; MSG SIZE  rcvd: 76

unbound ~ # date && dig CNAME static.minims.eu
Thu Aug 16 17:13:11 CEST 2018

; <<>> DiG 9.10.3-P4-Debian <<>> CNAME static.minims.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11204
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.minims.eu.              IN      CNAME

;; ANSWER SECTION:
static.minims.eu.       58      IN      CNAME   ftp.300gp.ovh.net.

;; Query time: 0 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Thu Aug 16 17:13:11 CEST 2018
;; MSG SIZE  rcvd: 76

unbound ~ # date && dig CNAME static.minims.eu
Thu Aug 16 17:15:01 CEST 2018

; <<>> DiG 9.10.3-P4-Debian <<>> CNAME static.minims.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55391
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.minims.eu.              IN      CNAME

;; Query time: 741 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Thu Aug 16 17:15:01 CEST 2018
;; MSG SIZE  rcvd: 45

unbound ~ #  

It works only if
 - domain has NOT DNSEC activated.
 - you ask for A instead of CNAME.
 - you set qname-minimisation to 'no'.


I finally recompiled a version of unbound 1.7.3 without this patch and i problem disappear : 

---
 iterator/iterator.c
@@ -2457,7 +2457,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
	}
	type = response_type_from_server(
		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
-		iq->response, &iq->qchase, iq->dp);
+		iq->response, &iq->qinfo_out, iq->dp);
	iq->chase_to_rd = 0;
	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
		!iq->auth_zone_response) {
---

Are you aware of this issue ? 
Is there an other way to correct this problem ?
Is it safe to revert this ? 

Thanks.

Best Regards
Alex
Comment 1 Ralph Dolmans 2018-08-17 12:08:58 CEST
Hi Alex,

Thanks for you detailed report and reproduction instructions. I did start looking into this issue already after your post on the unbound-users list, but wasn't able to reproduce the issue so far.

Now that I know it is TTL related I can reproduce it and start working on a fix. I'll keep you posted, thanks!

-- Ralph
Comment 2 Ralph Dolmans 2018-08-17 14:53:46 CEST
Hi Alex,

I just committed a fix for this issue, please have a look:

https://github.com/NLnetLabs/unbound/commit/afd4063f20a078f0f8617d58e08d34a4bed55e53

Cheers,
-- Ralph
Comment 3 Alex 2018-08-17 15:24:37 CEST
Hi Ralph,

I have recompiled unbound-1.7.3 with your patch and everything seems working for CNAME now.

Many thanks for your quick patch.

Best Regards,
Alex.