Unbound accepts Authority records with a wrong zone cut. Too lax?

Stephane_Bortzmeyer · July 18, 2012, 8:19am

Today, we experienced the problem described in
<http://fanf.livejournal.com/107721.html>\. BIND cannot query CNAME
ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service:

# BIND
% dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com. IN CNAME

;; Query time: 656 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
;; WHEN: Wed Jul 18 09:21:27 2012
;; MSG SIZE rcvd: 49

# Unbound
% dig @2001:4f8:3:2bc:1::64:21 CNAME ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43630
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com. IN CNAME

;; Query time: 492 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21)
;; WHEN: Wed Jul 18 09:21:31 2012
;; MSG SIZE rcvd: 49

I suspect that Unbound may be too lax since the answer is indeed
incorrect. ns1.webhosting24.com is delegated but the name servers
reply with an Authority which indicates a zone cut at
webhosting24.com. It seems BIND is right to reject it and Unbound is
wrong?

% dig @217.70.144.111 CNAME ns1.webhosting24.com

; <<>> DiG 9.7.3 <<>> @217.70.144.111 CNAME ns1.webhosting24.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17571
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.webhosting24.com. IN CNAME

;; AUTHORITY SECTION:
webhosting24.com. 86400 IN SOA ns1.webhosting24.com. hostmaster.webhosting24.com. 2012071800 86400 3600 604800 86400

;; Query time: 23 msec
;; SERVER: 217.70.144.111#53(217.70.144.111)
;; WHEN: Wed Jul 18 10:18:46 2012
;; MSG SIZE rcvd: 96

Wouter · July 18, 2012, 8:37am

Hi Stephane,

Today, we experienced the problem described in
<http://fanf.livejournal.com/107721.html>\. BIND cannot query CNAME
ns1.webhosting24.com but Unbound can. Here on OARC's ODVR service:

# BIND % dig @2001:4f8:3:2bc:1::64:20 CNAME ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:20 CNAME
ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
35315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME

;; Query time: 656 msec ;; SERVER:
2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20) ;; WHEN: Wed
Jul 18 09:21:27 2012 ;; MSG SIZE rcvd: 49

# Unbound % dig @2001:4f8:3:2bc:1::64:21 CNAME
ns1.webhosting24.com

; <<>> DiG 9.8.1-P1 <<>> @2001:4f8:3:2bc:1::64:21 CNAME
ns1.webhosting24.com ; (1 server found) ;; global options: +cmd ;;
Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
43630 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
QUESTION SECTION: ;ns1.webhosting24.com. IN CNAME

;; Query time: 492 msec ;; SERVER:
2001:4f8:3:2bc:1:0:64:21#53(2001:4f8:3:2bc:1:0:64:21) ;; WHEN: Wed
Jul 18 09:21:31 2012 ;; MSG SIZE rcvd: 49

I suspect that Unbound may be too lax since the answer is indeed
incorrect. ns1.webhosting24.com is delegated but the name servers
reply with an Authority which indicates a zone cut at
webhosting24.com. It seems BIND is right to reject it and Unbound
is wrong?

Unbound rejects the authority records from this message. Then looks
at the resulting message and thinks that this looks like a
NOERROR/NODATA answer, which it returns to the client.

So, unbound rejects the authority zone cut, but does not turn that
into a servfail because it thinks it can understand the message with
that RR removed.

Best regards,
Wouter