RFC 6672: DNAME support

https://tools.ietf.org/html/rfc6672 Mainly their validation doesn't work probably; the mandatory CNAMEs should make DNAMEs work on unsigned domains.

Related: #108 (closed), as DNAMEs are another way of generating RRs that haven't been seen.

You might want to look at https://gitlab.labs.nic.cz/knot/deckard/tree/dname_tests - it has some preliminary versions of tests for DNAME.

Non-support in validator most likely won't block implementation of aggressive caching.

This might occaisonally cause SERVFAIL during validation so I'm going to promote it to a bug and raise its priority.

added bug label

added plan and removed feature labels

changed milestone to %2018 Q2

changed milestone to %2018 Q1

changed title from DNAME: implement support to RFC 6672: DNAME support

changed milestone to %2018 Q2

Also relevant:

• http://www.rfc-editor.org/errata/eid5297
• http://www.rfc-editor.org/errata/eid5298

It would be good to make it DNAME functional also in non-standard situation where CNAME+DNAME are at the same node.

changed milestone to %2018 Q3

removed plan label

added plan label

removed milestone

mentioned in issue #537

We have a domain apparently affected by this - lancaster.ac.uk is signed and contains a DNAME to lancs.ac.uk. kresd appears to get stuck in a 'cname chain, following' loop whilst trying to fetch the RRSIG.

How can we help to squash this bug?

with 'Knot Resolver, version 5.0.1':

[00000.00][plan] plan 'www.lancaster.ac.uk.' type 'A' uid [53555.00]
[53555.00][iter]   'www.lancaster.ac.uk.' type 'A' new uid was assigned .01, parent uid .00
[53555.01][cach]   => no NSEC* cached for zone: lancaster.ac.uk.
[53555.01][cach]   => skipping zone: lancaster.ac.uk., NSEC, hash 0;new TTL -123456789, ret -2
[53555.01][cach]   => skipping zone: lancaster.ac.uk., NSEC, hash 0;new TTL -123456789, ret -2
[53555.01][zcut]   found cut: lancaster.ac.uk. (rank 040 return codes: DS 0, DNSKEY 0)
[53555.01][resl]   => id: '33989' querying: '5.61.126.110#00053' score: 10 zone cut: 'lancaster.ac.uk.' qname: 'wWw.LANCaStER.ac.uk.' qtype: 'A' proto: 'udp'
[53555.01][iter]   <= authority: ns outside bailiwick
[53555.01][iter]   <= authority: ns outside bailiwick
[53555.01][iter]   <= authority: ns outside bailiwick
[53555.01][iter]   <= authority: ns outside bailiwick
[53555.01][iter]   <= rcode: NOERROR
[53555.01][iter]   <= cname chain, following
[00000.00][plan] plan 'www.lancs.ac.uk.' type 'A' uid [53555.02]
[53555.01][vldr]   >< cut changed, needs revalidation
[53555.01][resl]   <= server: '5.61.126.110' rtt: 62 ms
[53555.02][iter]   'www.lancs.ac.uk.' type 'A' new uid was assigned .03, parent uid .00
[53555.03][cach]   => satisfied by exact RRset: rank 060, new TTL 3348
[53555.03][iter]   <= rcode: NOERROR
[53555.03][vldr]   <= answer valid, OK
[53555.01][resl]   => resuming yielded answer
[53555.01][vldr]   >< no valid RRSIGs found: www.lancaster.ac.uk. CNAME (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53555.01][plan]   plan 'www.lancaster.ac.uk.' type 'RRSIG' uid [53555.04]
[53555.04][iter]     'www.lancaster.ac.uk.' type 'RRSIG' new uid was assigned .05, parent uid .01
[53555.05][cach]     => skipping RR type RRSIG
[53555.05][resl]     => id: '09563' querying: '148.88.65.105#00053' score: 10 zone cut: 'lancaster.ac.uk.' qname: 'wWw.LAncAsTer.Ac.uk.' qtype: 'RRSIG' proto: 'udp'
[53555.05][iter]     <= authority: ns outside bailiwick
[53555.05][iter]     <= authority: ns outside bailiwick
[53555.05][iter]     <= authority: ns outside bailiwick
[53555.05][iter]     <= authority: ns outside bailiwick
[53555.05][iter]     <= rcode: NOERROR
[53555.05][iter]     <= cname chain, following
[53555.01][plan]   plan 'www.lancs.ac.uk.' type 'RRSIG' uid [53555.06]
[53555.05][vldr]     >< cut changed, needs revalidation
[53555.05][resl]     <= server: '148.88.65.105' rtt: 38 ms
[53555.06][iter]     'www.lancs.ac.uk.' type 'RRSIG' new uid was assigned .07, parent uid .01
[53555.07][cach]     => skipping RR type RRSIG
[53555.07][zcut]     found cut: lancs.ac.uk. (rank 040 return codes: DS 0, DNSKEY 0)
[53555.07][resl]     => id: '14686' querying: '148.88.65.104#00053' score: 10 zone cut: 'lancs.ac.uk.' qname: 'Www.lAncS.ac.UK.' qtype: 'RRSIG' proto: 'udp'
[53555.07][iter]     <= rcode: NOERROR
[53555.07][vldr]     <= answer valid, OK
[53555.07][cach]     => skipping RR type RRSIG
[53555.07][resl]     <= server: '148.88.65.104' rtt: 38 ms
[53555.05][resl]     => resuming yielded answer
[53555.05][vldr]     >< no valid RRSIGs found: www.lancaster.ac.uk. CNAME (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53555.05][plan]     plan 'www.lancaster.ac.uk.' type 'RRSIG' uid [53555.08]
[53555.08][iter]       'www.lancaster.ac.uk.' type 'RRSIG' new uid was assigned .09, parent uid .05
[53555.09][cach]       => skipping RR type RRSIG
[53555.09][resl]       => id: '47130' querying: '148.88.65.105#00053' score: 38 zone cut: 'lancaster.ac.uk.' qname: 'Www.LAncaster.AC.Uk.' qtype: 'RRSIG' proto: 'udp'
[53555.09][iter]       <= authority: ns outside bailiwick
[53555.09][iter]       <= authority: ns outside bailiwick
[53555.09][iter]       <= authority: ns outside bailiwick
[53555.09][iter]       <= authority: ns outside bailiwick
[53555.09][iter]       <= rcode: NOERROR
[53555.09][iter]       <= cname chain, following
[53555.05][plan]     plan 'www.lancs.ac.uk.' type 'RRSIG' uid [53555.10]
[53555.09][vldr]       >< cut changed, needs revalidation
[53555.09][resl]       <= server: '148.88.65.105' rtt: 38 ms
[53555.10][iter]       'www.lancs.ac.uk.' type 'RRSIG' new uid was assigned .11, parent uid .05
[53555.11][cach]       => skipping RR type RRSIG
[53555.11][zcut]       found cut: lancs.ac.uk. (rank 040 return codes: DS 0, DNSKEY 0)
[53555.11][resl]       => id: '65166' querying: '148.88.65.104#00053' score: 38 zone cut: 'lancs.ac.uk.' qname: 'wWW.lanCs.AC.uk.' qtype: 'RRSIG' proto: 'udp'
[53555.11][iter]       <= rcode: NOERROR
[53555.11][vldr]       <= answer valid, OK
[53555.11][cach]       => skipping RR type RRSIG
[53555.11][resl]       <= server: '148.88.65.104' rtt: 37 ms
[53555.09][resl]       => resuming yielded answer
[53555.09][vldr]       >< no valid RRSIGs found: www.lancaster.ac.uk. CNAME (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53555.09][plan]       plan 'www.lancaster.ac.uk.' type 'RRSIG' uid [53555.12]
[53555.12][iter]         'www.lancaster.ac.uk.' type 'RRSIG' new uid was assigned .13, parent uid .09
[53555.13][cach]         => skipping RR type RRSIG
[53555.13][resl]         => id: '61306' querying: '148.88.65.105#00053' score: 38 zone cut: 'lancaster.ac.uk.' qname: 'wWw.lAnCAsTer.aC.uk.' qtype: 'RRSIG' proto: 'udp'
[53555.13][iter]         <= authority: ns outside bailiwick
[53555.13][iter]         <= authority: ns outside bailiwick
[53555.13][iter]         <= authority: ns outside bailiwick
[53555.13][iter]         <= authority: ns outside bailiwick
[53555.13][iter]         <= rcode: NOERROR
[53555.13][iter]         <= cname chain, following
[53555.09][plan]       plan 'www.lancs.ac.uk.' type 'RRSIG' uid [53555.14]
[53555.13][vldr]         >< cut changed, needs revalidation
[53555.13][resl]         <= server: '148.88.65.105' rtt: 39 ms
[53555.14][iter]         'www.lancs.ac.uk.' type 'RRSIG' new uid was assigned .15, parent uid .09
[53555.15][cach]         => skipping RR type RRSIG
[53555.15][zcut]         found cut: lancs.ac.uk. (rank 040 return codes: DS 0, DNSKEY 0)
[53555.15][resl]         => id: '30101' querying: '148.88.65.104#00053' score: 37 zone cut: 'lancs.ac.uk.' qname: 'Www.LaNcs.AC.Uk.' qtype: 'RRSIG' proto: 'udp'
[53555.15][iter]         <= rcode: NOERROR
[53555.15][vldr]         <= answer valid, OK
[53555.15][cach]         => skipping RR type RRSIG
[53555.15][resl]         <= server: '148.88.65.104' rtt: 38 ms
[53555.13][resl]         => resuming yielded answer
[53555.13][vldr]         >< no valid RRSIGs found: www.lancaster.ac.uk. CNAME (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC)
[53555.13][plan]         plan 'www.lancaster.ac.uk.' type 'RRSIG' uid [53555.16]
[53555.16][iter]           'www.lancaster.ac.uk.' type 'RRSIG' new uid was assigned .17, parent uid .13
[53555.17][cach]           => skipping RR type RRSIG

[...]

[53555.129][plan]                                                                   plan 'www.lancs.ac.uk.' type 'RRSIG' uid [53555.134]
[53555.133][vldr]                                                                     >< cut changed, needs revalidation
[53555.133][resl]                                                                     <= server: '148.88.65.105' rtt: 41 ms
[53555.134][iter]                                                                     'www.lancs.ac.uk.' type 'RRSIG' new uid was assigned .135, parent uid .129
[53555.135][cach]                                                                     => skipping RR type RRSIG
[53555.135][zcut]                                                                     found cut: lancs.ac.uk. (rank 040 return codes: DS 0, DNSKEY 0)
[53555.131][resl]                                                                   AD: request NOT classified as SECURE
[53555.135][resl]                                                                     finished: 8, queries: 33, mempool: 524800 B

Just in case, for now an ugly workaround might be to downgrade those names to insecure status

trust_anchors.set_insecure({ 'lancaster.ac.uk.' })

but it's not nice and I suspect in the DNAME case it will also break validation behind the resolver. (DNAME record doesn't get into answer, apparently, so the accompanying CNAME should appear bogus.)

mentioned in merge request !965 (merged)

@gclinch Thank you for reporting this, we are working on fix. Code in !965 (merged) already validates query www.lancaster.ac.uk. correctly. It should be released "soonish".

closed via merge request !965 (merged)

mentioned in commit cdf1d774