Sticky old nameservers

I thought I knew the DNS but apparently I don't.

Yesterday, around 1030 UTC the domain assemblee-nationale.fr had an
issue: the IP address of its nameservers changed. The "new"
nameservers served a different NS set. The problem is now fixed since
yesterday, around 1200 UTC . The TTL of the wrong information was only
300 seconds. Therefore, it should have disappeared by now. But it is
not the case:

% dig NS assemblee-nationale.fr

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> NS assemblee-nationale.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56522
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;assemblee-nationale.fr. IN NS

;; ANSWER SECTION:
assemblee-nationale.fr. 300 IN NS ns1432.ztomy.com.
assemblee-nationale.fr. 300 IN NS ns2432.ztomy.com.

;; Query time: 495 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Feb 19 09:01:12 CET 2020
;; MSG SIZE rcvd: 102

The correct NS set is ns{0,1,2}.fr.claradns.net, as you can see in the
delegation (which did not change). Why is it not picked?

It is as if the resolver does not return to the parent and, when the
TTL expires, queries again the wrong nameservers.

[::1 is Unbound Version 1.9.0 linked libs: libevent 2.1.8-stable (it
uses epoll), OpenSSL 1.1.1d 10 Sep 2019]

[Restarting Unbound solves the problem.]

Hi Stephane,

die you check the output from

unbound-control lookup assemblee-nationale.fr

?

I occasionally have similar issues with my setup when a domain changes its nameservers. If I recall correctly, this is due to the domain’s old nameserver to be asked being cached. The command from above may show the issue.

Cheers

a message of 105 lines which said:

unbound-control lookup assemblee-nationale.fr

Unfortunately, this resolver does not have control enabled. (And, if I
restart it with 'control-enable: yes', the problem disappears, which
is good for operations but bad for science.)

I occasionally have similar issues with my setup when a domain
changes its nameservers. If I recall correctly, this is due to the
domain's old nameserver to be asked being cached.

It is normal? I mean, it could enable "phantom domain" attacks.

a message of 41 lines which said:

I thought I knew the DNS but apparently I don't.

It seems the the problem was not Unbound's fault but a combination of
"poisonings" with wrong information.

The TTL of the wrong information was only 300 seconds.

But the domain of assemblee-nationale.fr's name servers was announced
for a while by its registry with wrong nameservers and a TTL of two
days. Also, these nameservers served A records with a TTL of two
hours. In short, Unbound may have had good reasons to stick to the
wrong information.

This specific resolver did not have harden-glue and
harden-referral-path. May be it should.