Package: unbound
Version: 1.9.0-2+deb10u1
Severity: important
Sometimes unbound replies to a query for a forward-zone using a spurious
cache entry, resulting in bogus NXDOMAIN responses that persist for
cache-max-negative-ttl seconds (1 hour, by default), effectively
disrupting name resolution for the zone.
Given this piece of configuration on 10.0.2.15:
server:
do-ip6: no
interface: 127.0.0.1
#log-local-actions: yes
log-queries: yes
log-replies: yes
log-servfail: yes
log-tag-queryreply: yes
#log-time-ascii: yes
statistics-cumulative: yes
statistics-interval: 3607
val-log-level: 2
verbosity: 4
logfile: /var/log/unbound.log
domain-insecure: test.local
remote-control:
control-enable: yes
control-interface: /run/unbound.ctl
forward-zone:
name: test.local
forward-addr: 10.0.2.2
and the zone test.local defined on 10.0.2.2 like this:
$TTL 3600 ; 1 hour
@ SOA x.test.local. root.test.local. (
1 ; serial
900 ; refresh (15 +minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum / negative ttl (1 hour)
)
NS x.test.local.
x A 10.0.2.2
y A 10.0.2.10
responses from a freshly started instance of unbound on 10.0.2.15 depend on
query ordering:
successful sequence:
# service unbound restart
# dig @127.0.0.1 A y.test.local. => 10.0.2.10 (correct)
# dig @127.0.0.1 A nonexistent.local. => nxdomain (correct)
# dig @127.0.0.1 A y.test.local. => 10.0.2.10 (correct)
failing sequence:
# service unbound restart
# dig @127.0.0.1 A nonexistent.local. => nxdomain (correct)
# dig @127.0.0.1 A y.test.local. => nxdomain (WRONG)
At verbosity 4, the logfile contains this excerpt:
[1580891316] unbound[1842:0] info: msg from cache lookup
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0
;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
;; QUESTION SECTION:
y.test.local. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
loans. 86394 IN NSEC locker. NS DS RRSIG NSEC
loans. 86394 IN RRSIG NSEC 8 1 86400 20200217170000 [...]
. 86394 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86394 IN RRSIG NSEC 8 0 86400 20200217170000 [...]
. 3594 IN SOA a.root-servers.net. nstld.verisign-grs.com.
2020020401 1800 900 604800 86400
. 86394 IN RRSIG SOA 8 0 86400 20200217170000 [...]
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 1022
That entry looks like a response packet with rcode NXDOMAIN and Question
"y.test.local. IN A".
The network capture, however, shows that no such reply was ever received by
unbound. In fact unbound sent no query for "y.test.local." or "test.local."
to 10.0.2.2 or root nameservers.
The closest match is the packet received from a root server with rcode
NXDOMAIN and Question "local. IN A". Looks like the above "msg from
cache" is spurious.
Best regards,
g.b.
-- System Information:
Debian Release: 10.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 4.19.0-6-686 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages unbound depends on:
ii adduser 3.118
ii dns-root-data 2019031302
ii libc6 2.28-10
ii libevent-2.1-6 2.1.8-stable-4
ii libfstrm0 0.4.0-1
ii libprotobuf-c1 1.3.1-1+b1
ii libpython3.7 3.7.3-2
ii libssl1.1 1.1.1d-0+deb10u2
ii libsystemd0 241-7~deb10u2
ii lsb-base 10.2019051400
ii openssl 1.1.1d-0+deb10u2
ii unbound-anchor 1.9.0-2+deb10u1
unbound recommends no packages.
Versions of packages unbound suggests:
pn apparmor <none>
-- no debconf information
