resolving result is flapping

A_Schulze · October 3, 2022, 9:33pm

Hello,

unbound tries to resolv 60.67.194.188.in-addr.arpa/PTR.
Even on an empty cache, I see two different answers:

1. the wrong:

;; QUESTION SECTION:
;; 60.67.194.188.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
194.188.in-addr.arpa. 3497 IN SOA ns01.registrar.kabel-deutschland.de. dns-admin.kabeldeutschland.de. 2014082103 10800 7200 604800 86400

2. the right:
;; QUESTION SECTION:
;; 60.67.194.188.in-addr.arpa. IN PTR

;; ANSWER SECTION:
60.67.194.188.in-addr.arpa. 86400 IN PTR ipbcc2433c.dynamic.kabel-deutschland.de.

I build Unbound from source.

# unbound -V
Version 1.16.3

Configure line: --disable-flto --disable-dnscrypt --enable-pie --enable-relro-now --disable-shared --enable-static --enable-sha1 --enable-subnet --enable-event-api --enable-tfo-client --enable-tfo-server --enable-dnstap --enable-linux-ip-local-port-range --with-pthreads --without-pyunbound --with-pythonmodule --with-libevent --with-libnghttp2
Linked libs: libev 4.33 (it uses epoll), OpenSSL 3.0.5 5 Jul 2022
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available

... and use this minimal config for testing:

# cat /tmp/unbound.conf
server:
  chroot: ""
  do-daemonize: no
  logfile: ""
  log-replies: yes
  pidfile: ""

in one terminal I start unbound:
# env - /usr/local/sbin/unbound -c /tmp/unbound.conf
[1664832020] unbound[38:0] notice: init module 0: subnetcache
[1664832020] unbound[38:0] notice: init module 1: validator
[1664832020] unbound[38:0] notice: init module 2: iterator
[1664832020] unbound[38:0] info: start of service (unbound 1.16.3).

in a second terminal I do the first query to the new unbound process (with empty cache)
# dig @127.0.0.1 -x 188.194.67.60

The nameserver hosting 194.188.in-addr.arpa. are not fully EDNS compliant: https://ednscomp.isc.org/ednscomp/13b0b744f8
May this be the reason? Is there anything I could configure to avoid the random NXDOMAIN ?

Andreas

heidnes · October 4, 2022, 2:22pm

unbound tries to resolv 60.67.194.188.in-addr.arpa/PTR.
Even on an empty cache, I see two different answers:

...

The nameserver hosting 194.188.in-addr.arpa. are not fully EDNS
compliant: https://ednscomp.isc.org/ednscomp/13b0b744f8
May this be the reason?

That's unlikely to be the reason.

Is there anything I could configure to avoid the random NXDOMAIN?

Not certain, but doubtful. This looks like a publication-side error,
and the fix for that belongs at the publication side.

Letting https://dnsviz.net/ process 60.67.194.188.in-addr.arpa reveals
that a query to either of these name servers:

194.188.in-addr.arpa. 86399 IN NS ns01.registrar.kabel-deutschland.de.
194.188.in-addr.arpa. 86399 IN NS ns02.registrar.kabel-deutschland.de.

for 67.194.188.in-addr.arpa returns NXDOMAIN, while a query for the
PTR of 60.67.194.188.in-addr.arpa gives the presumably intended
result:

60.67.194.188.in-addr.arpa. 86400 IN PTR ipbcc2433c.dynamic.kabel-deutschland.de.

NXDOMAIN is the wrong response to the 67.194.188.in-addr.arpa query,
as it is a signal to the querier not only that the queried-for name
doesn't exist, but also that there is nothing "deeper" in the naming
tree below this name (which isn't true, ref. the PTR response for the
full name). The correct response would most probably have been an
empty NODATA reply to the 67.194.188.in-addr.arpa query, as according
to the above PTR result that name would be "an empty non-terminal
node" and not a "nonexistent node" in the naming tree.

The query for the 67.194.188.in-addr.arpa name may be the result of
query minimization, though I would not recommend or suggest that you
turn that off if it's already enabled (as this has privacy implications).

Regards,

- Håvard