Answer to query going through chain of CNAMEs contains duplicate records in AUTHORITY section
Answer to query going through chain of CNAMEs contains duplicate records in AUTHORITY section.
Example of such answer:
;QUESTION
start.example.com. IN A
;ANSWER
start.example.com. 3600 IN CNAME x.y.z.wc.example.com.
start.example.com. 3600 IN RRSIG CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSD pLRAOI1PybTJkwrMvgDKfp0ycT4HwsLV y7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx 19ZVeClTFMOLotCK8xMHACYJIY39BhTw D2D3r9BxbK+RopUlXypwV02yzdY2xEnP CBJVDUn5d0g=
x.y.z.wc.example.com. 3600 IN CNAME x.y.z.end.example.com.
x.y.z.wc.example.com. 3600 IN RRSIG CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXq QWmnjHtbFvzUlTlfGj+56YBSOEpyCep4 CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4F AkqLXRYjp4CZegslmJIuXU5uS+Q0GlLb WdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+ oIZ+CkwvDlQ=
x.y.z.end.example.com. 3600 IN A 1.2.3.5
x.y.z.end.example.com. 3600 IN RRSIG A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63Qe hzSHXZe5gL954WxW8KGHPYmeWyhDtruT hpZS6s6jeARY2xt0lmEDnMgNyPJGA6UW wTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZ oi+h8OGrHxUb4jIKzipzAQDxhnAcp/wK F7e+p+OE+Fo=
;AUTHORITY
isjq5aarcp8p5sukc56g961cccjus5u2.example.com. 86400 IN NSEC3 1 0 1 abcd isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG
isjq5aarcp8p5sukc56g961cccjus5u2.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/ C0yL9br6W/5lB/usuSiK2DjW58ibPh2k LH1P3SpGqd1Y7LigptdXoPBDFakcNcim PWCN93R3J80+vrHHPkPyIsBaywwYI3SN GgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0 ntKq7dkSndg=
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN NSEC3 1 0 1 abcd a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8 l8eh7ovalniwkU3F+PNYJyfSE9yGX8tM GbXrkEW9mAzAh39igr2+Bbzi9WPTRp4R DVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0 Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8 xAiwPrBJXDQ=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WH RWj3AeIHK0StYFcAlflGLdkae1LEgMwf UmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGf uShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWc SoU/wLrr66I1K8oSB2yK1Tyyv73c2N40 D1mBbzIE70U=
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN NSEC3 1 0 1 abcd a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG
a61sejfu6am5a36p628t4s089s309o44.example.com. 86400 IN RRSIG NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8 l8eh7ovalniwkU3F+PNYJyfSE9yGX8tM GbXrkEW9mAzAh39igr2+Bbzi9WPTRp4R DVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0 Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8 xAiwPrBJXDQ=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WH RWj3AeIHK0StYFcAlflGLdkae1LEgMwf UmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGf uShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWc SoU/wLrr66I1K8oSB2yK1Tyyv73c2N40 D1mBbzIE70U=
;ADDITIONALPlease note duplicate example.com. 3600 IN NS ns.example.com. and associated RRSIG/NSEC3 records.
Reproducer:
- Use kresd b9c99804
- Use test
sets/resolver/val_nsec3_cnametocnamewctoposwc.rplfrom Deckard@9a70ab63db0ec8a5220b04ab5152ab2215e1206a. - run test as
rm -f /tmp/pcap && SOCKET_WRAPPER_PCAP_FILE=/tmp/pcap TESTS=sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl MAKEFLAGS="-j1" ./kresd_run.sh - check
AUTHORITYsection in the last DNS packet of/tmp/pcap(ignore duplicate packets in the pcap, IMHO this is not caused bykresd)