Unbound dropping Additional Records

Unbound
1

Hello,

I've encountered two strange things when using Unbound to query your
domain nlnetlabs.nl. I was playing with a program that cut off some
Additional Records, and was confused to learn that it sometimes happens
with Unbound as well.

One is due to dig. Dig sometimes shows a higher Additional Records
count than are being printed -- I've used WireShart and learnt that
these are OPT records which are not to be handled like normal RR.
That's hereby documented.

But I also get different results when querying Unbound (running on jip)
or your own name server. Listing follows.

Where have the missing Additional Records gone I wonder/ These don't
show up in WireShark (and no OPT either) and of course I specified
-s0 to avoid cutting off the DNS response. TcpDump attached.

I use Debian Lenny -> unbound 1.0.2 and dig from dnsutils 1:9.5.0.
BTW, I'm new to Debian -- but it already feels like home :slight_smile:

Best,
-Rick

bash$ dig @jip nlnetlabs.nl # Ask Unbound

; <<>> DiG 9.3.2-P2.1 <<>> @jip nlnetlabs.nl
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64664
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;nlnetlabs.nl. IN A

;; ANSWER SECTION:
nlnetlabs.nl. 2598 IN A 213.154.224.1

;; AUTHORITY SECTION:
nlnetlabs.nl. 8641 IN NS ns7.domain-registry.nl.
nlnetlabs.nl. 8641 IN NS omval.tednet.nl.
nlnetlabs.nl. 8641 IN NS open.nlnetlabs.nl.

;; ADDITIONAL SECTION:
open.nlnetlabs.nl. 8630 IN A 213.154.224.1
open.nlnetlabs.nl. 8835 IN AAAA 2001:7b8:206:1::1
open.nlnetlabs.nl. 8835 IN AAAA 2001:7b8:206:1::53

;; Query time: 8 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Wed Jan 7 11:03:10 2009
;; MSG SIZE rcvd: 198

bash$ dig @open.nlnetlabs.nl nlnetlabs.nl # Ask The Source

; <<>> DiG 9.4.2-P1 <<>> @open.nlnetlabs.nl nlnetlabs.nl
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36889
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;nlnetlabs.nl. IN A

;; ANSWER SECTION:
nlnetlabs.nl. 10200 IN A 213.154.224.1

;; AUTHORITY SECTION:
nlnetlabs.nl. 10200 IN NS open.nlnetlabs.nl.
nlnetlabs.nl. 10200 IN NS omval.tednet.nl.
nlnetlabs.nl. 10200 IN NS ns7.domain-registry.nl.

;; ADDITIONAL SECTION:
open.nlnetlabs.nl. 10200 IN A 213.154.224.1
open.nlnetlabs.nl. 10200 IN AAAA 2001:7b8:206:1::53
open.nlnetlabs.nl. 10200 IN AAAA 2001:7b8:206:1::1
omval.tednet.nl. 28800 IN A 213.154.224.17
omval.tednet.nl. 28800 IN AAAA 2001:7b8:206:1::17
omval.tednet.nl. 28800 IN AAAA 2001:7b8:206:1:200:39ff:fe59:b187

;; Query time: 15 msec
;; SERVER: 213.154.224.1#53(213.154.224.1)
;; WHEN: Wed Jan 7 12:02:57 2009
;; MSG SIZE rcvd: 270

(attachments)

unbound2.tcpdump (368 Bytes)

2

Hi Rick,

Additional records are completely optional and can be dropped.

Unbound does know about the records you complain are being dropped. But
notices that the server open.nlnetlabs.nl is not authoritative for that
data. Hence that data receives different treatment. To protect the
client unbound leaves out this data.

The data can still be looked up, but that needs an additional query.

So, this is a security feature and unbound is protocol conformant.

You can turn off this behaviour with:
  harden-glue: no
The default is yes for security.

Best regards,
   Wouter

Rick van Rein wrote: