unsigned same-server delegation does not work (SERVFAIL when iterating)
Attached test asks for unsigned2.box. SOA and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted on the same server. The delegation is inside opt-out range so resolver should verify unsigned status of zone and continue.
(I hope there is no mistake in the test, I did my best. If there is a mistake in test itself I apologize.)
Activity
Real-life example:
us.af.mil MX, reported on gitter. We receive answer from the child zone (unsigned, of course) and we fail to generate a query that would obtain the delegation proof – RRSIG query is tried but that's useless for this purpose.This bug does not seem to be a (recent-ish) regression. I quickly tried a few versions and all failed this (oldest one being 3.0.0).
Verbose logs:
[00000.00][plan] plan 'us.af.mil.' type 'MX' uid [18568.00] [18568.00][iter] 'us.af.mil.' type 'MX' new uid was assigned .01, parent uid .00 [18568.01][cach] => trying zone: ., NSEC, hash 0 [18568.01][cach] => NSEC sname: range search miss (!covers) [18568.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [18568.01][zcut] found cut: . (rank 060 return codes: DS -2, DNSKEY 0) [18568.01][resl] >< TA: '.' [18568.01][resl] => id: '05715' querying: '202.12.27.33#00053' score: 10 zone cut: '.' qname: 'Mil.' qtype: 'NS' proto: 'udp' [18568.01][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5715 ;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 9; ADDITIONAL: 7
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION mil. NS
;; AUTHORITY SECTION mil. 172800 NS eur2.nipr.mil. mil. 172800 NS pac1.nipr.mil. mil. 172800 NS eur1.nipr.mil. mil. 172800 NS con2.nipr.mil. mil. 172800 NS pac2.nipr.mil. mil. 172800 NS con1.nipr.mil. mil. 86400 DS 7765 8 2 49E8705D169873922E701EE46D3063CD1B7C5EADC714815241C54E4399B9BF09 mil. 86400 DS 7765 8 1 D8BCC5D307AC70652F7CD21653322746EFCEA3DC mil. 86400 RRSIG DS 8 1 86400 20200708180000 20200625170000 48903 . uZ8tHZIXK9J+WnRqh9xgEx1+AlKARQLyLRzufleAzL7WHaFMPabxd9IG+uXnv92r9FuH8G9mvRJgtgn4eFyMuaawMgefMH7bxvNaBBCnK75LM9AzQIQpz/KW1Te6Ym5sSEoBjsm0qd8zqOHk5F+G7XJu3ktdck983Offp4W+eu7yJEw/ohxfhDvyktuGNSMKD1bSmQACtoZlw8Bq2mJx/FYiv2vsQZ8l7JzIocq4GgC0jgv9XSkk8kpnV4D1FwkZgv8dWh0o7Iube0GVqHiENdYr3yGWNT/h59JCCyO/8/mEHF+XcrkoXYaKoMjzneU8BpNGpvqJHvTgiD1VNPaOFw==
;; ADDITIONAL SECTION con1.nipr.mil. 172800 A 199.252.157.234 con2.nipr.mil. 172800 A 199.252.162.234 eur1.nipr.mil. 172800 A 199.252.154.234 eur2.nipr.mil. 172800 A 199.252.143.234 pac1.nipr.mil. 172800 A 199.252.180.234 pac2.nipr.mil. 172800 A 199.252.155.234
[18568.01][iter] <= loaded 6 glue addresses [18568.01][iter] <= referral response, follow [18568.01][vldr] <= DS: OK [18568.01][vldr] <= answer valid, OK [18568.01][cach] => stashed mil. DS, rank 060, 356 B total, incl. 1 RRSIGs [18568.01][cach] => stashed mil. NS, rank 002, 122 B total, incl. 0 RRSIGs [18568.01][cach] => stashed also 6 nonauth RRsets [18568.01][resl] <= server: '202.12.27.33' rtt: 29 ms [18568.01][iter] 'us.af.mil.' type 'MX' new uid was assigned .02, parent uid .00 [18568.02][plan] plan 'mil.' type 'DNSKEY' uid [18568.03] [18568.03][iter] 'mil.' type 'DNSKEY' new uid was assigned .04, parent uid .02 [18568.04][cach] => no NSEC* cached for zone: mil. [18568.04][cach] => skipping zone: mil., NSEC, hash 0;new TTL -123456789, ret -2 [18568.04][cach] => skipping zone: mil., NSEC, hash 0;new TTL -123456789, ret -2 [18568.04][resl] => id: '17844' querying: '199.252.162.234#00053' score: 10 zone cut: 'mil.' qname: 'MIL.' qtype: 'DNSKEY' proto: 'udp' [18568.04][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 17844 ;; Flags: qr aa cd QUERY: 1; ANSWER: 5; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION mil. DNSKEY
;; ANSWER SECTION mil. 10800 DNSKEY 257 3 8 AwEAAbWw4VHgvcHHi+wp6b/DYF5Swm0ZW5ExF4I1kedU7rGd5DzJgrysA1oNY7UlXmEeetznEL6RbKDg1VAMHDBLJeVkrkh478ixS3AORee7Trwr6wC1m1tmdHmeoNpu6R+qsgPg0bNpw0I5ztOaIMOsJvgrP7YLPPU3UImfunS8LhqXNYbwuZj9Fd6K4woqmPf8/h/yGfxSIuqrVW05gXG1pMMt7C29TJHJ1OZSvsJBKPR+PgJfkF44UUPqTvAoqUNI99Eu8yDDXuqMqJZYRAq8Jx+jVT1TA4rCEfGGZSThWVhJt4el5Lv7OhmXX5W1sgaBvvPjURjizShyZEycu0/hqWs= mil. 10800 DNSKEY 256 3 8 AwEAAd0cdDxCtCqdwUOBK8CX1WYEY4Metu/SuuboFuxTDsQSrE+PjBQELWthhI3F1yLRdPBS2oDX6pRjr/zx9bsKywI6vZ1g7GqUGOc/m/zqxIhCy2JGs4e/0WuQLpQOxRFjSKN0ccPVGVyvIxivyQ18TSJ1IqXex4rUOAHkhB3YvVbH mil. 10800 DNSKEY 256 3 8 AwEAActDK0qMxRyI/LBl/pXnn989XAshyD5tva1X7nt8k8avSvqQipE7qSB88QpEt850VzX4Lte26sq19cCtZBQmgR3BRnBM0PEGg6TDZIjGOpVM21gvUGJwhs/omwVZUN0RZKZieewj4CWQfEDxpv8b6fLUNDIHuIdm4Aj/sGBOYJk/ mil. 10800 RRSIG DNSKEY 8 1 10800 20200702162034 20200625162034 7765 mil. IhuYMFybzsPvWr+ERs7L0gXjGoNXnsO5bPxuRJr/unRsQNUarfhCvzJfS7bwfPcECuKM1yeH+W5iPe8wKjnANAXdy2qFNsiuNIEz+muZL4qJKvo/DlaygYttFqL5L+vi9aF8/QPZjC+6cuA6B5Wwo3Sm1aUSfq9QJx2UNg0jnUYj0qnZjxOU//9T6MTGtlZt4eZrKuWZuruPrwxNx928UTecYBj9xZm9Rafcw4xupmXyrQi/gpcdKfWRJgyDUxLZWQIqZlqRAXd+lAlxb4CicZA8hlO7rDMzvs+uU3JVw9xbUtcOBX47/WvjpHU4pgdYvCgGVT32UIKk8KjQhe6siA== mil. 10800 RRSIG DNSKEY 8 1 10800 20200702162034 20200625162034 48726 mil. oqKRGPqh+8dRSOeVbSEoic0uvnIvRgkkZiTwyS8Sa7MxyTxWlLIcEZ5Fe39irZDoBvm97sfCK5WWxmMMRa4s3OcAi1QnfYUN3AIIsThH3aAXm58Z0z4zRDQ3Lat3/A9eWO2e0v59UQiA00Xkn4p4BcbIJJiAqz753IbQe/Wu5A0=
[18568.04][iter] <= rcode: NOERROR [18568.04][vldr] <= parent: updating DNSKEY [18568.04][vldr] <= answer valid, OK [18568.04][cach] => stashed mil. DNSKEY, rank 060, 992 B total, incl. 2 RRSIGs [18568.04][resl] <= server: '199.252.162.234' rtt: 44 ms [18568.02][iter] 'us.af.mil.' type 'MX' new uid was assigned .05, parent uid .00 [18568.05][resl] => id: '58627' querying: '199.252.155.234#00053' score: 10 zone cut: 'mil.' qname: 'af.MIL.' qtype: 'NS' proto: 'udp' [18568.05][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58627 ;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 9; ADDITIONAL: 7
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION af.mil. NS
;; AUTHORITY SECTION af.mil. 21600 NS osan-ns10.afnoc.af.mil. af.mil. 21600 NS langley-ns10.afnoc.af.mil. af.mil. 21600 NS beale-ns10.afnoc.af.mil. af.mil. 21600 NS peterson-ns10.afnoc.af.mil. af.mil. 21600 NS ramstein-ns10.afnoc.af.mil. af.mil. 21600 NS scott-ns10.afnoc.af.mil. af.mil. 10800 DS 56521 8 1 B0A7BC1ADF9BAB581EA203E187255F57B00C1023 af.mil. 10800 DS 56521 8 2 7BA313A1D2FB68662093FF222A4211B39BCC150FABFE7C6D36A0390E4D6C11FC af.mil. 10800 RRSIG DS 8 2 10800 20200702162034 20200625162034 48726 mil. n1Nio40iRodlu/d+wZY6T1HYOH7vG0DIeh1mJPa51FOqgefv0NYLpvzOnOjEkoZw/REYcav5HB8Nz2ywlPN9DWaG1VM5BjEXB1QwzZMziWIZEBMFC3C0EUa7yn7bH3AINhFr6ctN+G6vPd2hnRAFmptRMLwJb3a3JkMjIXX4CD0=
;; ADDITIONAL SECTION beale-ns10.afnoc.af.mil. 21600 A 132.3.65.10 scott-ns10.afnoc.af.mil. 21600 A 132.3.41.10 langley-ns10.afnoc.af.mil. 21600 A 132.3.29.10 osan-ns10.afnoc.af.mil. 21600 A 132.3.13.10 peterson-ns10.afnoc.af.mil. 21600 A 132.3.57.10 ramstein-ns10.afnoc.af.mil. 21600 A 132.3.25.10
[18568.05][iter] <= loaded 6 glue addresses [18568.05][iter] <= referral response, follow [18568.05][vldr] <= DS: OK [18568.05][vldr] <= answer valid, OK [18568.05][cach] => stashed af.mil. DS, rank 060, 232 B total, incl. 1 RRSIGs [18568.05][cach] => stashed af.mil. NS, rank 002, 186 B total, incl. 0 RRSIGs [18568.05][cach] => stashed also 6 nonauth RRsets [18568.05][resl] <= server: '199.252.155.234' rtt: 48 ms [18568.05][iter] 'us.af.mil.' type 'MX' new uid was assigned .06, parent uid .00 [18568.06][plan] plan 'af.mil.' type 'DNSKEY' uid [18568.07] [18568.07][iter] 'af.mil.' type 'DNSKEY' new uid was assigned .08, parent uid .06 [18568.08][cach] => no NSEC* cached for zone: af.mil. [18568.08][cach] => skipping zone: af.mil., NSEC, hash 0;new TTL -123456789, ret -2 [18568.08][cach] => skipping zone: af.mil., NSEC, hash 0;new TTL -123456789, ret -2 [18568.08][resl] => id: '09637' querying: '132.3.41.10#00053' score: 10 zone cut: 'af.mil.' qname: 'af.MIl.' qtype: 'DNSKEY' proto: 'udp' [18568.08][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 9637 ;; Flags: qr aa cd QUERY: 1; ANSWER: 7; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION af.mil. DNSKEY
;; ANSWER SECTION af.mil. 47510 DNSKEY 257 3 8 AwEAAaAT8xnqAAYbpmBOP91HG/ArUUFH8ttOM3di9k0hyC6+P+LvpREVFvDKAMatLDdgVJmYbSOp6yRbI19TiOSUkSHS8hVkyJC5gxQZPjX7+UVxu0NbltLQ66GW25glAAY4E98Z5a7cki0qhRKIXs8F79TwCFaloD45NFxTSCtsgN7K6BEthRHmdMfNo1NNp9W7HxJtHtNWTy/H5XJzuyOLGl7vUa2CAvD/o8Vcuhl4IHYuzqsvy+bmAnXLSLk6CbWU6yv8y9o89iSiYDfiy2cUaFft7KNxWYrmizLUaNwU4BawvXYv8iFm1OgsRhjv+naSkzonh/h3cbzFT5bcaghscP8= af.mil. 47510 DNSKEY 256 3 8 AwEAAdxyKK7HxOrwEcOQ8bR9PL5BenAWi2DR2Frk7OgWF+3Hm5lGTOcEYunSigVTLqnyjmhEPKE8eKJZ6VtFL2nlyJJvL9Hz3y8buC3D3BeYgV5J3pfb2jXfZk2UhDB/Ce+EKgQPDLF24YC5D5vwyz/RpeNYWFTrHkjGY8Zds2byqeDzrvZ2d7qffWYTqVAr9/bSeuKe7ekAA7X4GBY0fMLCmp4MiX088XP5wPowtxQqciYB+I2m105dtVvqzLhFqLtyc7HKfwRZLw+zYVOyzbt8Q8AmLgNvrYADerPSczPrweQcGbsWMlBmLoAf01t3yPYYB5MSbeopv7Ks8kgecrr3VL0= af.mil. 47510 DNSKEY 256 3 8 AwEAAcHcD5Oztmr1hVfNpgWYQDNef8ATZXkYs4DB5f6Ci/5FxUDgMW6CJJ8sIHlwH0st4j2bGrw5wMtbtX889Gfl7f95uKq3rnyInt0GWn0z3GCTAQa/b2GWOyLDPDSB9Tso8ioWRXTWwdfZCdcy50qZSE0ja/QXvu9ue599SAmyGFz38UnfS1OZ9L/DfB8Wj2rfTL/MKswbExdDOLHexkRa7EbpSQta851XHgCddIzWkvfI2pFOaaoUh++t4XtopnC5AEmLJprXgUSasNuepvtdn6oFAq7zFBYdIORqTDZ/FCCjNDHPNtEaXriY0a1Z8r/58xeseNJsqmlfV77L0wFab4E= af.mil. 47510 DNSKEY 257 3 8 AwEAAbChHBq//1DrnyyGMlKC21VdZVpMwNEc56uJUAFc7tSWe9uKVAY520ALA05Rvrl20x+BceLcXkn16DDrAnSX3oHJ9XaCMl1WrkYyAF2+Ub1MPtfLhn5fZlUJIzCOmP1HZ4HYbNdP5GQtaGiZVbbvJnyMJV2u57ojqrBZIYDv3xMPClnlLtWoEMsBYc+ffFOBdQJkxw9TRR3NcqK6J9Bxr3bo8VQvG9WPF0N1yC52+FEoRZi2ngZfk6UM37eEXaaSH/usbxHSd8A9+hJfGk5b+t0bJdWHwqi7kkMG6S3n864Y7H071XkwZvY4tvUFkU98ME757qxWPEsPZTPIODCEEtM= af.mil. 172800 RRSIG DNSKEY 8 2 172800 20200629165444 20200625164649 9826 af.mil. pCqPcDLuB04vkabb/IT1gAXv6BwdCiugnjP2htPZpueh/G08vpoaAz7p9IxISzO3EsulEgHuwT8TNxiVVv9/sMAxFYeLtKHz77iojhmVyc8bp1pLw8vBxWVI1iv88yATZQPIfg8mVdJK3fPecLDppIJR5aYgyHqXoz+ub3aTRFpW9xgtYD6CDOqWECd6x/V9jF8ejAw2sri99Z3C8eQ5owox3KSvKdqtQ1FfEesMZQGfW8ANbHHzH93RTHYO8RZbF/w0l7kx6KyC8/oKQ+jb5MdW13j6gH5hgqrDn+j6lRddY9ZPgorXU7CYa9JHR+caBAuJi6nWgiNlHWBp52Ac6w== af.mil. 172800 RRSIG DNSKEY 8 2 172800 20200629165444 20200625164649 34539 af.mil. eS4V0q/w6AWQKHN8sXm2bfJMu7lncZgpPtKhDk3No/g5Bmlieslq8Wp+6Kkf/5ZJdzypFFSqXo8jfy9hWRWw/CPqAP7syI1rippjJyQQxdCVM0et3J25/vVQRo1QUv/Dl/XPoN8V3whr3WCP3pZFGOfvwLBxpTjtRAjssh811acvrgGJJdKUS/IADGoKpKuhIqqas10MUCu4xuYYNUmKi235aImQsky3R5UiivxPho3fT0cYvX/z79+J8jZvTGNen45cbJpbhlBQ7175h2Ak74VR8HHUWQ5KMbpNYNROuT8BIunSMtLFmDqubNPgeyd0T75AmOr9bkZHQqQDLDQymg== af.mil. 172800 RRSIG DNSKEY 8 2 172800 20200629165444 20200625164649 56521 af.mil. YVf501zAqTIKa1U2zeEnSv6ePIYZ1xzC47yNEfzyJ2GIRE8Uzgp7ANGU1i/0ytlmW8XUsI50qn1FQtPUjJvEw45wX6fa6GT+A54aX+ieb82EnFOxTaJKjykCHndzsmk6QImtIn2/haZkHt5b1BHGHJPFfNE8i00TfKqo59Lv2UQaHxMYHK7pUi7JUTAGuVyBfauUh0kD3ctfI3ACu3LAPY+P1ArereOXYCulRk4WqM27SfzjH0ivzSs/xM8m4hxq78OH4G1QG1vwA9tZVcKyHJ3CmysqQNjOzEDPXnsrlSzf6CmoW3rnE8QL0QT6S5LZuo+CU8UyfEO2wvrGRHOR+A==
[18568.08][iter] <= rcode: NOERROR [18568.08][vldr] <= parent: updating DNSKEY [18568.08][vldr] <= answer valid, OK [18568.08][cach] => stashed af.mil. DNSKEY, rank 060, 1930 B total, incl. 3 RRSIGs [18568.08][resl] <= server: '132.3.41.10' rtt: 166 ms [18568.06][iter] 'us.af.mil.' type 'MX' new uid was assigned .09, parent uid .00 [18568.09][resl] => id: '35369' querying: '132.3.13.10#00053' score: 10 zone cut: 'af.mil.' qname: 'US.af.mil.' qtype: 'MX' proto: 'udp' [18568.09][resl] => id: '35369' querying: '132.3.65.10#00053' score: 10 zone cut: 'af.mil.' qname: 'US.af.mil.' qtype: 'MX' proto: 'udp' [18568.09][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35369 ;; Flags: qr aa cd QUERY: 1; ANSWER: 11; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION us.af.mil. MX
;; ANSWER SECTION us.af.mil. 76 MX 20 wpafb-mail8.afnoc.af.mil. us.af.mil. 76 MX 20 wpafb-mail5.afnoc.af.mil. us.af.mil. 76 MX 10 pri-usaf-eemsg.eemsg.mail.mil. us.af.mil. 76 MX 20 wpafb-mail6.afnoc.af.mil. us.af.mil. 76 MX 20 scott-mail6.afnoc.af.mil. us.af.mil. 76 MX 20 scott-mail5.afnoc.af.mil. us.af.mil. 76 MX 20 scott-mail7.afnoc.af.mil. us.af.mil. 76 MX 20 wpafb-mail7.afnoc.af.mil. us.af.mil. 76 MX 20 wpafb-mail4.afnoc.af.mil. us.af.mil. 76 MX 20 scott-mail8.afnoc.af.mil. us.af.mil. 76 MX 20 scott-mail4.afnoc.af.mil.
[18568.09][iter] <= rcode: NOERROR [18568.09][vldr] >< cut changed, needs revalidation [18568.09][resl] <= server: '132.3.13.10' rtt: 297 ms [18568.09][resl] <= server: '132.3.65.10' rtt: >= 97 ms [18568.09][resl] => resuming yielded answer [18568.09][vldr] >< no valid RRSIGs found: us.af.mil. MX (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) [18568.09][plan] plan 'us.af.mil.' type 'RRSIG' uid [18568.10] [18568.10][iter] 'us.af.mil.' type 'RRSIG' new uid was assigned .11, parent uid .09 [18568.11][cach] => skipping RR type RRSIG [18568.11][resl] => id: '57125' querying: '132.3.25.10#00053' score: 10 zone cut: 'af.mil.' qname: 'uS.af.MiL.' qtype: 'RRSIG' proto: 'udp' [18568.11][iter] <= answer received: ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57125 ;; Flags: qr aa ad cd QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION us.af.mil. RRSIG
[18568.11][iter] <= rcode: NOERROR [18568.11][vldr] >< cut changed, needs revalidation [18568.11][resl] <= server: '132.3.25.10' rtt: 56 ms [18568.11][resl] => resuming yielded answer [18568.11][vldr] <= bad NODATA proof [18568.11][cach] => skipping RR type RRSIG [18568.11][resl] finished: 8, queries: 2, mempool: 114752 B
changed milestone to %5.2.0
Requires bigger changes in validator, moving to %5.2.0.
-
For affected operators the best work-arounds I see configurable for particular names are either:
- forwarding, e.g.
(could be also the more complex
policy.add(policy.suffix(policy.FORWARD({'9.9.9.9'}), policy.todnames({'us.af.mil.', 'foo.example.net.'})))TLS_FORWARDvariant) - DNSSEC downgrade but it has to be done a bit higher than the failing name itself
trust_anchors.set_insecure({ 'af.mil', 'example.net' })
- forwarding, e.g.
mentioned in merge request !1020 (merged)
mentioned in issue #587 (closed)
closed via merge request !1020 (merged)
mentioned in commit 360c58f5
