Infinite resolution loop
Hello,
I have found a case where there is an infinite recursion on DNS resolution in your product, leading to SERVFAIL responses.
Our DNS server is configured to resolve wildcard *.customers.company.tld
as a CNAME to customers.company.tld
that resolves itself as A (ip address). This configuration works everywhere in the world, but it does not when using knot-resolver (tested with 5.5.3 and 5.6.0).
We have an other domain that resolves the same kind of wildcard directly to ip address, with the same behavior.
Here is log extract for dns resolution of selftest.customers.company.tld
:
[plan ][00000.00] plan 'selftest.customers.company.tld.' type 'A' uid [64792.00]
[iterat][64792.00] 'selftest.customers.company.tld.' type 'A' new uid was assigned .01, parent uid .00
[cache ][64792.01] => no NSEC* cached for zone: company.tld.
[cache ][64792.01] => skipping zone: company.tld., NSEC, hash 0;new TTL -123456789, ret -2
[cache ][64792.01] => skipping zone: company.tld., NSEC, hash 0;new TTL -123456789, ret -2
[zoncut][64792.01] found cut: company.tld. (rank 002 return codes: DS 0, DNSKEY 0)
[select][64792.01] => id: '51966' choosing from addresses: 2 v4 + 0 v6; names to resolve: 0 v4 + 2 v6; force_resolve: 0; NO6: IPv6 is KO
[select][64792.01] => id: '51966' choosing: 'ns2.company.tld.'@'999.999.999.999#00053' with timeout 21 ms zone cut: 'company.tld.'
[resolv][64792.01] => id: '51966' querying: 'ns2.company.tld.'@'999.999.999.999#00053' zone cut: 'company.tld.' qname: 'CUsTOmerS.company.tld.' qtype: 'NS' proto: 'udp'
[select][64792.01] => id: '51966' updating: 'ns2.company.tld.'@'999.999.999.999#00053' zone cut: 'company.tld.' with rtt 3 to srtt: 1 and variance: 1
[iterat][64792.01] <= rcode: NOERROR
[iterat][64792.01] <= continuing with qname minimization
[iterat][64792.01] 'selftest.customers.company.tld.' type 'A' new uid was assigned .02, parent uid .00
[plan ][64792.02] plan 'customers.company.tld.' type 'DS' uid [64792.03]
[iterat][64792.03] 'customers.company.tld.' type 'DS' new uid was assigned .04, parent uid .02
[cache ][64792.04] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.04] <= rcode: NOERROR
[valdtr][64792.04] <= parent: updating DS
[valdtr][64792.04] <= answer valid, OK
[iterat][64792.02] 'selftest.customers.company.tld.' type 'A' new uid was assigned .05, parent uid .00
[plan ][64792.05] plan 'customers.company.tld.' type 'DS' uid [64792.06]
[iterat][64792.06] 'customers.company.tld.' type 'DS' new uid was assigned .07, parent uid .05
[cache ][64792.07] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.07] <= rcode: NOERROR
[valdtr][64792.07] <= parent: updating DS
[valdtr][64792.07] <= answer valid, OK
[iterat][64792.05] 'selftest.customers.company.tld.' type 'A' new uid was assigned .08, parent uid .00
....
[plan ][64792.149] plan 'customers.company.tld.' type 'DS' uid [64792.150]
[iterat][64792.150] 'customers.company.tld.' type 'DS' new uid was assigned .151, parent uid .149
[cache ][64792.151] => satisfied by exact packet: rank 060, new TTL 32464
[iterat][64792.151] <= rcode: NOERROR
[valdtr][64792.151] <= parent: updating DS
[valdtr][64792.151] <= answer valid, OK
[worker][64792.149] cancelling query due to exceeded iteration count limit of 100
[resolv][64792.151] AD: request NOT classified as SECURE
[resolv][64792.149] finished in state: 8, queries: 50, mempool: 98400 B
knot configuration file is the default config.docker file.