A and ANY queries give conflicted results

Unbound
1

I put in an A record for "badsig.dane.xelerance.com." with the intension putting
a bad "dane TLSA" record in there. So contrary to the name, the RRSIG for "badsig" is
fine.

But unbound (1.4.8) gives me :

[paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com.

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14663
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com. IN A

;; AUTHORITY SECTION:
xelerance.com. 1843 IN SOA ns1.xelerance.net. hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600
xelerance.com. 1843 IN RRSIG SOA 5 2 3600 20110505082418 20110412193207 52862 xelerance.com. AjMgXLIoxiKF96CuFAi1xIKDBOmUSj1gDUP8x6IA/dupfBfSf2IJ7vZB r1Mk9l3dSlvfGqWrKZoAkb7hBe65aVdxWPNF/haBHycteofzXBLp48C4 ur06uhu6JgFT6lK40xEYV40O+3TPOgtiMyThSdZhUxHbQT4hN826+QXu ZCk=
_443._tcp.dane.xelerance.com. 1537 IN NSEC _443._tcp.badsig.dane.xelerance.com. RRSIG NSEC TYPE65468
_443._tcp.dane.xelerance.com. 1537 IN RRSIG NSEC 5 5 3600 20110508195703 20110412150206 52862 xelerance.com. S29Q/B0lQXq5panQv0utkdluaNzHZ2bYhqjrxQDb5QBv8KOn5WpwxG+c 5ZPBJPLIM7pVcheb88VjLaybUSfDygeazrz0kucF1XW+N8mvqbGLA8bF 4NtYD/GcBAzq6zaDFkq5azPp42zLlmROyUlxbHGQr2xBOd0QL8lu7Pzt nx4=

;; Query time: 115 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Apr 12 17:03:32 2011
;; MSG SIZE rcvd: 557

So this tells me the record does not exist. But when I do an ANY query:

[paul@bofh pri]$ dig +dnssec any badsig.dane.xelerance.com.

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec any badsig.dane.xelerance.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50885
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com. IN ANY

;; ANSWER SECTION:
badsig.dane.xelerance.com. 3505 IN A 193.110.157.151
badsig.dane.xelerance.com. 3505 IN RRSIG A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0=
badsig.dane.xelerance.com. 3505 IN NSEC _443._tcp.badsig.dane.xelerance.com. A RRSIG NSEC
badsig.dane.xelerance.com. 3505 IN RRSIG NSEC 5 4 3600 20110507165524 20110412193207 52862 xelerance.com. MBZf648QzxlK3iGVG9rIEbMaPfHVYX3cF/NdsJpUmNAue8UyES5XqXM2 7+fvNhMhWLNfzjR0uek+H0L/KDqmsETziiV+4P7W90/kdvyk23b6E0+l F8f9o1cjbpWS6NgzdLYl3u6xE3mIedg8Zj94yUkDO7IPg8wG9DWKPrIY Lbw=

;; AUTHORITY SECTION:
xelerance.com. 1222 IN NS ns0.xelerance.nl.
xelerance.com. 1222 IN NS ns1.xelerance.net.
xelerance.com. 1222 IN NS ns2.xelerance.org.
xelerance.com. 1222 IN NS ns3.xelerance.com.
xelerance.com. 1222 IN RRSIG NS 5 2 3600 20110504211948 20110407132406 52862 xelerance.com. GFOJpCG0wnC65zdaKU3wBab3H9yACG84B+47jXdfGigcspDx8Ro8+qGH daQCVQLTZP92f549qA5j3JnwqmISQIUyaF7acDGY+1h65G9xyZCt7xNV X7bLPXLQbJ63OMkAYG00+tyg6tAtxLLStvOCsbVTfvUkCm5M5VhbaDJM jQE=

;; ADDITIONAL SECTION:
ns3.xelerance.com. 1222 IN A 65.18.175.19
ns3.xelerance.com. 1222 IN AAAA 2607:f7d0:403:1::1
ns3.xelerance.com. 1222 IN RRSIG A 5 3 3600 20110505112452 20110411195206 52862 xelerance.com. SidtyN0Jp51ftbmTB6U4euk/BtTiP8u3bNz6KfnYUmJCc++LPdgc0Bxa +0JCXzw0nkZUWBdBOTfuiBw+Xiz7S1Nw0FPtVdXegj/E/1VQPzaWguiA aFYRVB3tKwSc9swNGacdGmuGYmTJIT/174dfgVmSKfHzSrm15BK2O+S6 Y/I=
ns3.xelerance.com. 1222 IN RRSIG AAAA 5 3 3600 20110430162655 20110405051806 52862 xelerance.com. l+dlkSzDLwGYeic3azZEJijlP6CGNA9syaUj9B5UdTlsMTNU1arhO26s Dwg3PQjK/OcyXWAopjKLkbvX8+LL3+IU7H5VnRca6+EVxH/jkjqm52U/ lMJSSuCjDob31TXH9zR9bJcnA7noLFgcQQm653PZea7GwKQE1r1gxVoP KI4=

;; Query time: 116 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Apr 12 17:03:40 2011
;; MSG SIZE rcvd: 1146

Now it exists?

Note that nsd is serving the record fine:

[paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61386
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com. IN A

;; ANSWER SECTION:
badsig.dane.xelerance.com. 3600 IN A 193.110.157.151
badsig.dane.xelerance.com. 3600 IN RRSIG A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0=

I have a copy of the cache at the time, and an unbound-host output if that would help

After restarting unbound, the record worked as expected.

Paul

2

Hi Paul,

I put in an A record for "badsig.dane.xelerance.com." with the intension
putting
a bad "dane TLSA" record in there. So contrary to the name, the RRSIG
for "badsig" is
fine.

But unbound (1.4.8) gives me :

[paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com.
;; AUTHORITY SECTION:
xelerance.com. 1843 IN SOA ns1.xelerance.net.
hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600
xelerance.com. 1843 IN RRSIG SOA 5 2 3600 20110505082418

So this tells me the record does not exist. But when I do an ANY query:

[paul@bofh pri]$ dig +dnssec any badsig.dane.xelerance.com.
;; ANSWER SECTION:
badsig.dane.xelerance.com. 3505 IN A 193.110.157.151
badsig.dane.xelerance.com. 3505 IN RRSIG A 5 4 3600
20110505101649 20110412193207 52862 xelerance.com.

I have a copy of the cache at the time, and an unbound-host output if
that would help

After restarting unbound, the record worked as expected.

You have a TTL issue. The 'wrong' response is 1800 seconds ago. The
right response is 95 seconds ago. Restart cleared the cache, and your
problem is gone. This is simply TTL happening.

Unbound does not synthesize from the cache, so it will repeat the
response from the authority server. So, it gets the new A record as
part of the ANY query, but does not synthesize 'A' responses to clients
with it, instead using the message that it got (1800 seconds) before.

Best regards,
   Wouter

3

That's surprising, but at least we know its a feature and not a bug :slight_smile:

Paul