Package: knot-resolver
Version: 1.2.0-1
Severity: important
Dear Maintainer,
Under circumstances, when a zone is not signed, knot-resolver responds
to DS queries for a zone with SOA record of the zone in question
instead of the SOA record of the parent zone.
Sending wrong DS replies breaks DNSSEC validation.
Reproducing is quite easy, with a clean installation and cache.
Issuing an A query and then a DS query reproduces the bug.
An example:
# kdig a void.gr @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 65070
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; void.gr. IN A
;; ANSWER SECTION:
void.gr. 3600 IN A 83.212.168.30
;; Received 41 B
;; Time 2017-07-15 03:21:50 EEST
;; From ::1@53(UDP) in 444.8 ms
# kdig ds void.gr @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1335
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; void.gr. IN DS
;; AUTHORITY SECTION:
void.gr. 3600 IN SOA empty.void.gr.
dnsmaster.void.gr. 2017071401 10800 3600 604800 10800
;; Received 77 B
;; Time 2017-07-15 03:21:57 EEST
;; From ::1@53(UDP) in 64.4 ms
Another example:
# kdig a google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14794
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.205.46
;; Received 44 B
;; Time 2017-07-15 03:29:13 EEST
;; From ::1@53(UDP) in 444.5 ms
# kdig ds google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37953
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN DS
;; AUTHORITY SECTION:
google.com. 60 IN SOA ns2.google.com.
dns-admin.google.com. 162019261 900 900 1800 60
;; Received 78 B
;; Time 2017-07-15 03:29:17 EEST
;; From ::1@53(UDP) in 75.6 ms
on knot-resolver from testing (1.3.0-2), the answers are correct:
# dig a void.gr @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56872
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; void.gr. IN A
;; ANSWER SECTION:
void.gr. 3600 IN A 83.212.168.30
;; Received 41 B
;; Time 2017-07-15 03:19:21 EEST
;; From ::1@53(UDP) in 441.5 ms
# dig ds void.gr @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 32532
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; void.gr. IN DS
;; AUTHORITY SECTION:
gr. 1800 IN SOA grdns.ics.forth.gr.
hmaster-info.ics.forth.gr. 1707142191 3600 180 5184000 1800
;; Received 90 B
;; Time 2017-07-15 03:19:23 EEST
;; From ::1@53(UDP) in 52.8 ms
# kdig a google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61740
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.205.46
;; Received 44 B
;; Time 2017-07-15 03:31:16 EEST
;; From ::1@53(UDP) in 805.4 ms
# kdig ds google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27072
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN DS
;; AUTHORITY SECTION:
com. 900 IN SOA
a.gtld-servers.net. nstld.verisign-grs.com. 1500078651 1800 900 604800 86400
;; Received 104 B
;; Time 2017-07-15 03:31:21 EEST
;; From ::1@53(UDP) in 620.7 ms
The order of queries matter
# kdig ds google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 55082
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN DS
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 1500078726 1800 900 604800 86400
;; Received 104 B
;; Time 2017-07-15 03:32:23 EEST
;; From ::1@53(UDP) in 722.7 ms
# kdig a google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16742
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.205.46
;; Received 44 B
;; Time 2017-07-15 03:32:30 EEST
;; From ::1@53(UDP) in 807.1 ms
# kdig ds google.com @localhost
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7572
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN DS
;; AUTHORITY SECTION:
com. 890 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 1500078726 1800 900 604800 86400
;; Received 104 B
;; Time 2017-07-15 03:32:32 EEST
;; From ::1@53(UDP) in 1.3 ms
I initially bumped into this issue when I had a local unbound recursor
with knot-recursor as a forwarder for unbound and unbound was returning SERVFAIL
to any queries for non-DNSSEC enabled domains.
kdig -> unbound -> knot-resolver
Since this has been fixed upstream, please consider fixing this in
stretch as well
Regards,
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable'), (99, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages knot-resolver depends on:
ii adduser 3.115
ii dns-root-data 2017041102
ii libc6 2.24-11+deb9u1
ii libdnssec2 2.4.0-3
ii libgnutls30 3.5.8-5+deb9u1
ii libhiredis0.13 0.13.3-2
ii libknot5 2.4.0-3
ii liblmdb0 0.9.18-5
ii libluajit-5.1-2 2.0.4+dfsg-1+b1
ii libmemcached11 1.0.18-4.1
ii libmemcachedutil2 1.0.18-4.1
ii libnettle6 3.3-1+b1
ii libsystemd0 232-25
ii libuv1 1.9.1-3
ii libzscanner1 2.4.0-3
ii lua-sec 0.6-3
ii lua-socket 3.0~rc1+git+ac3201d-3
Versions of packages knot-resolver recommends:
ii knot-resolver-module-http 1.2.0-1
knot-resolver suggests no packages.
-- no debconf information