Unbound any query handling

Unbound
1

Hi all,

I have a few recursive name servers running Debian. I have recently upgraded the packages I was running from Jessie (1.4.22-3) to testing (1.5.6-1). Since the upgrade I have noticed when testing using dig on domains that not all records get returned for an any query.

As an example, when I do an any query for the domain "paulbegg.com" with the new version of unbound I get this:

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> any paulbegg.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36493
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paulbegg.com. IN ANY

;; ANSWER SECTION:
paulbegg.com. 9142 IN A 104.154.95.49
paulbegg.com. 81142 IN NS ns2.syrahost.com.
paulbegg.com. 81142 IN NS ns1.syrahost.com.

When I query the older version I get the full set of records returned:

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> any paulbegg.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1196
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paulbegg.com. IN ANY

;; ANSWER SECTION:
paulbegg.com. 3600 IN TXT "Zone hosted on webcloud4.au.syrahost.com"
paulbegg.com. 14400 IN TXT "v=spf1+a+mx+ip4:203.170.86.145?all"
paulbegg.com. 14400 IN A 104.154.95.49
paulbegg.com. 86400 IN NS ns2.syrahost.com.
paulbegg.com. 86400 IN NS ns1.syrahost.com.
paulbegg.com. 14400 IN MX 0 mail.au.syrahost.com.
paulbegg.com. 86400 IN SOA ns1.syrahost.com. admin.syrahost.com. 2015072000 864
                              00 7200 3600000 86400

I have had a look through the configuration file and can't see anything that would change that behaviour, has anyone else come across this? Is this expected?

Thanks

2

I have a few recursive name servers running Debian. I have recently
upgraded the packages I was running from Jessie (1.4.22-3) to testing
(1.5.6-1). Since the upgrade I have noticed when testing using dig on
domains that not all records get returned for an any query.

The usual interpretation of an ANY query is that a recursive name
server will return all the records *it has cached*, while an
authoritative name server will simply return *all records*. This
could be the reason for what you are seeing.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

3

Hi,

I have a few recursive name servers running Debian. I have
recently upgraded the packages I was running from Jessie
(1.4.22-3) to testing (1.5.6-1). Since the upgrade I have noticed
when testing using dig on domains that not all records get
returned for an any query.

The usual interpretation of an ANY query is that a recursive name
server will return all the records *it has cached*, while an
authoritative name server will simply return *all records*. This
could be the reason for what you are seeing.

Also, this is an early interpretation of the draft
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-00 .

This is to limit dos attacks with qtype ANY, while being protocol
conformant (i.e. DNSSEC and mail programs). It returns not all, but
some rrset entries, if those are in cache.

On the topic of dos attacks, your new version of unbound has
ratelimiting with the option ratelimit: 100 or something (ratelimits
new, uncached queries per zone ; but does not ratelimit prefetches).

Best regards, Wouter