Re: unbound replaces CNAME query with A query?

Thu, 30 Mar 2023 11:59:41 -0700

Correct me if I understand it not correctly. whether you query CNAME or A record should not make a difference in NXDOMAIN status. But in any case the answer is not there. How does it change ACME process when there is NXDOMAIN and not just no-answer NOERROR response?
_acme-challenge.bender-doh.applied-privacy.net exists with cname. Its cname target returns NXDOMAIN. So yes, it is a bit confusing what is the final result. What exactly is the stub in this case? libresolv library? getaddrinfo() cannot query cname itself, it can do that via A query however. 

What is the point of querying just CNAME? Does it have a specific reason?


Unbound seems proactive to fetch actually useful record instead of just 
intermediate CNAME. I am not sure that has to be strictly wrong. The 
result it delivers is similar. It tells there is CNAME and its target 
does not exist. It just seem the stub does not check actual contents of 
message except rcode. Can stub resolver do anything useful with 
information that there is CNAME not leading to final destination?



Note: it would be much easier if you could share just pcap containing 
the problem instead of only text description.


On 3/26/23 18:29, Christoph via Unbound-users wrote:

Hi,

we are tracking/debugging [1][2] an issue that results in the failure of
certificate renewal (ACME DNS challenge).


If you ask unbound 1.17.1 the query shown below when it has an empty 
cache you get an NXDOAMIN reply, if you ask it again you will get the 
actual expected answer (NOERROR), PowerDNS Recursor does not have that 
issue.


Investigating the DNS traffic has also shown that

the stub -> unbound CNAME query results in an unbound -> authoritative 
A qtype query instead of a CNAME query.


Can you reproduce this issue and confirm this is unexpected?

thanks!
Christoph


dig _acme-challenge.bender-doh.applied-privacy.net CNAME


; <<>> DiG 9.18.13 <<>> _acme-challenge.bender-doh.applied-privacy.net 
CNAME

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20502
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.bender-doh.applied-privacy.net.    IN CNAME

;; ANSWER SECTION:

_acme-challenge.bender-doh.applied-privacy.net.    86400 IN CNAME 
bender-doh.acme-dns-challenge.applied-privacy.net.


;; AUTHORITY SECTION:

acme-dns-challenge.applied-privacy.net.    300 IN SOA get.desec.io. 
get.desec.io. 2023035286 86400 3600 2419200 3600


;; Query time: 114 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; MSG SIZE  rcvd: 167


#############################
query (stub -> recursor):
#############################

Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Domain Name System (query)
    Transaction ID: 0x5016
    Flags: 0x0120 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries

        _acme-challenge.bender-doh.applied-privacy.net: type CNAME, 
class IN

            Name: _acme-challenge.bender-doh.applied-privacy.net
            [Name Length: 46]
            [Label Count: 4]
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
    Additional records


#############################
response (unbound -> stub)
#############################

Domain Name System (response)
    Transaction ID: 0x5016
    Flags: 0x81a3 Standard query response, No such name
    Questions: 1
    Answer RRs: 1
    Authority RRs: 1
    Additional RRs: 1
    Queries

        _acme-challenge.bender-doh.applied-privacy.net: type CNAME, 
class IN

            Name: _acme-challenge.bender-doh.applied-privacy.net
            [Name Length: 46]
            [Label Count: 4]
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
    Answers
    Authoritative nameservers
    Additional records


#############################
query: unbound -> authoritive  qtype: A? (instead of CNAME)
#############################

Internet Protocol Version 6, Dst: 2607:f740:e633:deec::2
User Datagram Protocol, Src Port: 37183, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x46ba
    Flags: 0x0010 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
      _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
            Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
            [Name Length: 46]
            [Label Count: 4]
            Type: A (Host Address) (1) <<<<<<<<<
            Class: IN (0x0001)
    Additional records
    [Response In: 2688]


#############################
query: authoritive -> unbound
#############################

Domain Name System (response)
    Transaction ID: 0x46ba
    Flags: 0x8403 Standard query response, No such name
    Questions: 1
    Answer RRs: 2
    Authority RRs: 6
    Additional RRs: 1
    Queries
        _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type A, class IN
            Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
            [Name Length: 46]
            [Label Count: 4]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers

        _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type CNAME, 
class IN, cname bender-doh.acme-dns-challenge.apPLIED-privacY.neT

            Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 32
            CNAME: bender-doh.acme-dns-challenge.apPLIED-privacY.neT

        _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT: type RRSIG, 
class IN

            Name: _ACme-cHallENgE.BeNdEr-DOh.apPLIED-privacY.neT
            Type: RRSIG (Resource Record Signature) (46)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 103
            Type Covered: CNAME (Canonical NAME for an alias) (5)
            Algorithm: ECDSA Curve P-256 with SHA-256 (13)
            Labels: 4
            Original TTL: 86400 (1 day)
            Signature Expiration: Apr  6, 2023 02:00:00.000000000 CEST
            Signature Inception: Mar 16, 2023 01:00:00.000000000 CET
            Key Tag: 38828
            Signer's name: applied-privacy.net

            Signature: 
6ccde8920251717107ff82cbe6edbeda2723c8604f42d6914af643c2a84f5489db8e6972…

    Authoritative nameservers
    Additional records


################################
same query to a PowerDNS Recursor
results in the expected NOERROR
################################

dig @109.70.100.136 _acme-challenge.bender-doh.applied-privacy.net CNAME


; <<>> DiG 9.18.13 <<>> @109.70.100.136 
_acme-challenge.bender-doh.applied-privacy.net CNAME

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51569
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.bender-doh.applied-privacy.net.    IN CNAME

;; ANSWER SECTION:

_acme-challenge.bender-doh.applied-privacy.net.    86400 IN CNAME 
bender-doh.acme-dns-challenge.applied-privacy.net.


;; Query time: 40 msec
;; SERVER: 109.70.100.136#53(109.70.100.136) (UDP)
;; MSG SIZE  rcvd: 119



[1] 
https://mailman.powerdns.com/pipermail/pdns-users/2023-March/028156.html

[2] https://github.com/go-acme/lego/issues/1739


--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB























					Reply via email to