qname minimisation towards a forward that also uses qname minimisation
I use knot-resolver on my turris omnia and used to (tls)forward all queries to cloudflare. Now i encountered a hostname if63n.sitelockcdn.net.
where the nameserver claims not to be the authoritative:
dig NS sitelockcdn.net. @ns1.incapdns.net
; <<>> DiG 9.16.6 <<>> NS sitelockcdn.net. @ns1.incapdns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTAUTH, id: 34638
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sitelockcdn.net. IN NS
;; Query time: 0 msec
When asking kresd the same question one gets a SERVFAIL
as expected. However with the forward in place kresd will get the SERVFAIL
from cloudflare and return the SERVFAIL
to the client. For the logs please see here:
nowork.txt
And logs for when not using a forward.
works.txt
I'm not sure what the solution should be. I would guess adding an option to disable qname minimisation for forwards would be one way to solve it. However someone more familiar with the inner workings of knot-resolver might have a better idea.