Skip to content

Queries with too long DNAME substitution do not return YXDOMAIN response

RFC 6672 section 2.2:

   The domain name can get too long during substitution.  For example,
   suppose the target name of the DNAME RR is 250 octets in length
   (multiple labels), if an incoming QNAME that has a first label over 5
   octets in length, the result would be a name over 255 octets.  If
   this occurs, the server returns an RCODE of YXDOMAIN [RFC2136].  The
   DNAME record and its signature (if the zone is signed) are included
   in the answer as proof for the YXDOMAIN (value 6) RCODE.

Knot 5c9250ef returns NOERROR even if the substitution is too long.

Here is working substitution:

$ ldig +dnssec x.long.
; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @127.0.0.1 -p 5353 +timeout=5 +retry=0 +dnssec x.long.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55077
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;x.long.				IN	A

;; ANSWER SECTION:
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
x.long.			3600	IN	CNAME	x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
long.			3600	IN	RRSIG	DNAME 5 1 3600 20170319155242 20170219155242 37471 . fN5A1zOpkoIIqYfFjc05/XTP21UyXpBRmDr1L4RI+QQncxLbbbvT4zlU +I7jDrHzqHNNJPvcFHnMFs3uC1wzSLhnE6J3J+5AgoX9Gd1qYsw9lyQW Sg3fnecMbdjyIqT71q05UQ5Cj0waRvWpg9P8Vm9HpIv4lIoLsCfgN7t1 pXtJct4yUYt/EsWBAM8K+VKstF8XiDZZxQXfGR2re7Onr9Skhm2heRPH 7HVeJsH59dyDxCT4cEXq+nIA4lsF6urUA05cSUU7qU1dY3UDj9Czhzee Mlqe/CG8U3Q2+KEYxUoOWJVDphauFWAoEz1e8L5Wf1r8PhHo5dk0OPf+ TxMOwQ==

;; AUTHORITY SECTION:
.			86400	IN	SOA	. . 2017021500 1800 900 604800 86400
.			86400	IN	NSEC	long. NS SOA RRSIG NSEC DNSKEY
.			86400	IN	RRSIG	SOA 5 0 86400 20170319155242 20170219155242 37471 . TUjFun1gu0kUC3QM9+Zql8lQXy/F5fw89NUJtxbneG80hAvLHF9BelFU VZ19GfUZlCrGUq9Z1REoe9ri+EthslH+mEtd9dYH+fe0movNMAkZ5KaO I49B4n2+MWXRK5NGdynzywpnno61nNzYs0YSiVXhrkYrIbaWGWkNPJ+M 1x6RCdG2Zks/FibUwHwZsiHy3dcjFGZ2g0pNV8RHBKUtm2rhlfUIOiSp mwQq+moCJAqobFdHb3i9tLbESYfs2vv6rN3F6zX6vBTUU0+vB3OuO1YF ewHtoUe2o4tyondVqNOTVRiDaRXNHqdT431XaEOQ2jVmwi7hYV0M2xHy 24Jftg==
.			86400	IN	RRSIG	NSEC 5 0 86400 20170319155242 20170219155242 37471 . Vb7VQNbPI93mQG6NS5zyH7FkAfHOzKNSBC88LB/4x8pP9VW82b4I5ItX zFYN2EH3hSVhyeoLtnSNAMGxsYamdZBhDWma95/bUHMPcDooEwqtN3Eq guFzfTdF7L6O19EcOppL5ezp1K8Mpqedpjir51+nqbXJRgsVpAVobWoi Di3hiIqOM2g9pxXe+LXN7519MTR4Qe/6CjNbkI6ZdBZNBsZ3DAvvH3gj ogNZsd9RDAqXpN2JnjA/CORWbgb6tj3s3Ic7HnE83w8RKWTaQU/RH8X3 W2WCjCxe0uK/08d9vwaLHZPqjnhza4IA9btAHcAJrdOTuaUqae4XNGF3 PVE2Dw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Ne úno 19 16:59:17 CET 2017
;; MSG SIZE  rcvd: 1485

And this one is too long:

$ ldig xx.long.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @127.0.0.1 -p 5353 +timeout=5 +retry=0 xx.long.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24039
;; flags: qr aa tc rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xx.long.			IN	A

;; ANSWER SECTION:
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Ne úno 19 16:58:31 CET 2017
;; MSG SIZE  rcvd: 301

This response has several problems:

  • wrong RCODE
  • does not contain RRSIG for DNAME
  • message ;; Truncated, retrying in TCP mode. indicates that something bad happened to the UDP query; the fallback should not be necessary