On 3/31/23 16:09, Tuomo Soini wrote:
On Fri, 31 Mar 2023 15:57:46 +0200 Petr Menšík <pemen...@redhat.com> wrote:I have tried on my unbound and it never returns NXDOMAIN to me. The result is the same with kdig or dig, that makes no difference. I get NOERROR, not NXDOMAIN. All unbounds here without forwarders set up, is that the difference?
I have tried it inside a Rawhide container. # unbound-control forward off (using root hints) # dig @localhost cnametest.bleve.fi. CNAME ; <<>> DiG 9.18.13 <<>> @localhost cnametest.bleve.fi. CNAME ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55072 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;cnametest.bleve.fi. IN CNAME ;; ANSWER SECTION: cnametest.bleve.fi. 7118 IN CNAME nxdomain.foobar.fi. ;; Query time: 0 msec ;; SERVER: ::1#53(localhost) (UDP) ;; WHEN: Fri Mar 31 16:20:26 CEST 2023 ;; MSG SIZE rcvd: 77Just after fresh restart, it is NOERROR. As it is later. Indeed, the query unbound sends to cnametest.bleve.fi is A? query. But the response delivered to dig is a correct one. Tested with unbound-1.17.1-2.fc38.x86_64.
Frame 641: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface virbr0, id 0 Ethernet II, Src: 7e:85:92:43:88:71 (7e:85:92:43:88:71), Dst: RealtekU_02:bd:85 (52:54:00:02:bd:85)
Internet Protocol Version 4, Src: 192.168.122.184, Dst: 87.239.120.11 User Datagram Protocol, Src Port: 46986, Dst Port: 53 Domain Name System (query) Transaction ID: 0x4302 Flags: 0x0010 Standard query Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries cnametest.bleve.fi: type A, class IN Additional records [Response In: 719]It responds to it with nameservers of bleve.fi. But to those servers it already sends CNAME query, not A? Attaching my pcap.
When I did dig @localhost ns bleve.fi. before cnametest, it returned SERVFAIL the first time. Only then it responded with NOERROR. So no, I do not know how to get NXDOMAIN response from unbound. I get similar results for the original query.
$ kdig cnametest.bleve.fi. CNAME | head -2 ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 dnsmasq does not handle CNAMEs at all. It requires upstream recursive server to do the job and just passes the result to a client. bind can to proper iteration job from root hints however. If it is a bug, I would suggest creating issue at https://github.com/NLnetLabs/unbound/ But maybe more precise steps should be described when it returns NXDOMAIN. Just flushing the cache and doing your query does not seem to be enough for me.
-- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
cnametest-bleve.fi-filtered.pcapng
Description: application/pcapng
