Rcode: REFUSED with NSD behind Unbound

Hi guys!

I'm facing a problem with NSD behind Unbound. What I want to
achieve is to have Unbound acting as a resolver for my LAN but
with some stub-zones for my local zones.

My setup is the following:

* OpenBSD 6.3 - dns1.doe.com (master)
Unbound listening on 10.10.11.13@53
NSD listening on 10.10.11.13@5353

* OpenBSD 6.3 - dns2.doe.com (slave)
Unbound listening on 10.10.11.14@53
NSD listening on 10.10.11.14@5353

## Unbound

Here is my Unbound configuration :

server:
        interface: 10.10.11.13
        interface: 127.0.0.1
        interface: ::1

        verbosity: 5
        do-not-query-localhost: no

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow_snoop
        access-control: 10.10.11.0/24 allow_snoop
        access-control: ::0/0 refuse
        access-control: ::1 allow_snoop

        hide-identity: yes
        hide-version: yes

        auto-trust-anchor-file: "/var/unbound/db/root.key"

local-zone: "11.10.10.in-addr.arpa" typetransparent

stub-zone:
        name: "11.10.10.in-addr.arpa"
        stub-addr: 10.10.11.13@5353

stub-zone:
        name: "doe.com"
        stub-addr: 10.10.11.13@5353

## NSD

Here is the NSD configuration :

server:
        hide-version: yes
        verbosity: 3
        database: "" # disable database
        logfile: "/var/log/nsd.log"

## bind to a specific address/port
        ip-address: 10.10.11.13@5353
        ip-address: 127.0.0.1@5353

remote-control:
        control-enable: yes
        control-port: 8953

## tsig key example
key:
        name: "dns01.doe.com"
        secret: "XXXXXXXXXXXXXXXXXXXXXXXXX"

pattern:
        name: "talktoslave"
        notify: 10.10.11.14 dns01.doe.com
        provide-xfr: 10.10.11.14 dns01.doe.com
        outgoing-interface: 10.10.11.13

zone:
        name: "11.10.10.in-addr.arpa"
        zonefile: "%s"
        include-pattern: "talktoslave"

zone:
        name: "doe.com-internal"
        zonefile: "%s"
        include-pattern: "talktoslave"

Now when I try to resolve john.doe.com :

$ dig @10.10.11.13 john.doe.com

; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0

;; QUESTION SECTION:
;john.doe.com. IN A

;; Query time: 11 msec
;; SERVER: 10.10.11.13#53(10.10.11.13)
;; WHEN: Wed Jul 25 07:52:41 2018
;; MSG SIZE rcvd: 31

And if I look into the logs I'm getting :

Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2): john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3): john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out
Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing time 0.006881 sec
Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion processing times
Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0 [75%]=0
Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs) recursions
Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0.004096 0.008192 1
Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.> 10.10.11.13#5353
Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: john.doe.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 31
Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY
Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN

Do you guys know why I get a "rcode: REFUSED" here?

Thanks,

Hi Tristan,

In your nsd.conf you have a mistake in the zone name:

name: "doe.com-internal"

But that makes a zone "doe.com-internal" and not "doe.com". Unbound queries for doe.com and that zone is not hosted by the NSD instances and thus this returned REFUSED.

Best regards, Wouter

Hi Tristan,

zone:
        name: "doe.com-internal"
        zonefile: "%s"
        include-pattern: "talktoslave"

In your NSD config, you've defined a zone called "doe.com-internal". So
when NSD receives a query for "doe.com", it doesn't know this zone, and
returns a REFUSED response. Change that "name" parameter to "doe.com".

Regards,
Anand

Hi Wouter,

Wednesday 25 Jul 2018 14:31:20 (+0200), Wouter Wijngaards a écrit :

Hi Tristan,

In your nsd.conf you have a mistake in the zone name:

name: "doe.com-internal"

But that makes a zone "doe.com-internal" and not "doe.com". Unbound queries for doe.com and that zone is not hosted by the NSD instances and thus this returned REFUSED.

I was going crazy. I hadn't even seen that stupid mistake! :-/

Kudos to you!