Re: Query for specific record timeouts

Tue, 18 Feb 2025 14:16:13 -0800 

The servers for pojezdala.cz have a bogus "cz" zone configured and that is 
returning unsigned NSEC records resulting in the returned message being 
rejected when it is parsed.  Now one can argue if test in message.c is correct 
or not but the server shouldn’t be returning anything about zones not delegated 
to it. Contact the zone operator and report this to them.  Adding a #if 0 / 
#endif around this block of code should allow the lookup resolve.

DNSVIZ doesn’t detect this.

Mark

% dig szn20221014._domainkey.pojezdala.cz @2a02:2b88:2:1::c88:1 txt +norec 
+dnssec

; <<>> DiG 9.21.3-dev <<>> szn20221014._domainkey.pojezdala.cz 
@2a02:2b88:2:1::c88:1 txt +norec +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13563
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;szn20221014._domainkey.pojezdala.cz. IN TXT

;; ANSWER SECTION:
szn20221014._domainkey.pojezdala.cz. 300 IN CNAME 
szn20221014._domainkey.seznam.cz.
szn20221014._domainkey.pojezdala.cz. 300 IN RRSIG CNAME 8 4 300 20250227000000 
20250206000000 48140 pojezdala.cz. 
Z36hM0A0gBIKIbEVJ6AuGxaoweuNqQrMFx3bpYrS35Kp8T0b8s7eQ/eS 
oVKQBJRIcz/79lEGqXNxjzky2jlYc1JfN0OHtIg3n5rrcEBxZUg3Brdi 
78K8nXxPe3d3uVKC4i5f76qfy5zyy9FBApofxOIbATpgK4oFIV0JrVb4 
nAROTrHls5UGkZB2CqO+xEz4XvH8T2nuTacWUAart5NnT5J7oPCxsV5w 
ROnM4M14a9O7SWZPv4OzUAvhPm8LzuYczvFi8uRo4oEDhsPTl7MDDZVs 
ernRIGXvKyElcc9Dt5UXi49S0CnusyXXj5TD1KhijF1gN2nEe9FPt4oK eSGg5A==

;; AUTHORITY SECTION:
cz. 21600 IN SOA ns1.pankrea.cz. hostmaster.pankrea.cz. 2018092600 10800 3600 
259200 21600
cz. 21600 IN NSEC cz. SOA RRSIG NSEC

;; Query time: 405 msec
;; SERVER: 2a02:2b88:2:1::c88:1#53(2a02:2b88:2:1::c88:1) (UDP)
;; WHEN: Wed Feb 19 08:59:24 AEDT 2025
;; MSG SIZE  rcvd: 491

% 

lib/dns/message.c:

        /*
         * If any of DS, NSEC or NSEC3 appeared in the
         * authority section of a query response without
         * a covering RRSIG, FORMERR
         */
        if (sectionid == DNS_SECTION_AUTHORITY &&
            msg->opcode == dns_opcode_query &&
            ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
            ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && !preserve_order &&
            !auth_signed(section))
        {
                /* XXX test coverage */
                DO_ERROR(DNS_R_FORMERR);
        }


> On 19 Feb 2025, at 02:46, Jan Zálešák <jan.zale...@economia.cz> wrote:
> 
> Hi,
> I would like to ask for hint or help with timeout problem.
> 
> We are using private recursive resolvers with bind 9.16.48 (Debian Bullseye 
> package) for antispam machines. We have been contacted recently by sender 
> that DKIM verification for their domain is timeouting on DNS.
> 
> After that we run some tests with dig @localhost
> 
> dig @localhost szn20221014._domainkey.pojezdala.cz txt
> 
> ends with timeout, but
> 
> dig @localhost +cd szn20221014._domainkey.pojezdala.cz txt
> 
> works, also
> 
> dig @localhost szn20221014._domainkey.pojezdala.cz cname
> 
> works and after this query while it's result is in cache, txt query is also 
> working and returning result.
> Same domain query like
> dig @localhost pojezdala.cz txt
> works fine.
> We have also checked same behaviour against bind 9.18.33 (Debian Bookworm) in 
> different network.
> 
> Also checked dnsviz to see dnssec issues, but there is none 
> (https://dnsviz.net/d/szn20221014._domainkey.pojezdala.cz/dnssec/)
> 
> Jan Zalesak
> jan.zale...@economia.cz
> 
> BEZPEČNOSTNÍ UPOZORNĚNÍ:
> Obsah tohoto e-mailu a jeho jakékoli přílohy je určen pouze uvedenému 
> adresátovi (adresátům) a může obsahovat informace a skutečnosti, jež jsou 
> předmětem důvěrných informací společnosti Economia, a.s. a jako takové musí 
> být chráněny před vyzrazením. Pokud nejste zamýšleným adresátem této zprávy 
> nebo Vám byla tato zpráva zaslána omylem, prosíme o upozornění odesílatele na 
> tuto skutečnost a její bezodkladné vymazání včetně všech příloh. Zároveň Vás 
> v takovém případě upozorňujeme, že jakékoli další použití, přeposílání, 
> kopírování a ukládání této zprávy nebo jejího obsahu a příloh je přísně 
> zapovězeno a bude řešeno právní cestou.
> 
> CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended solely 
> for the addressee(s) and may contain confidential and/or privileged 
> information owned by Economia, a.s. and may be legally protected from 
> disclosure. If you are not the intended recipient of this message or their 
> agent, or if this message has been addressed to you in error, please 
> immediately alert the sender by reply e-mail and then delete this message and 
> any attachments. If you are not the intended recipient, you are hereby 
> notified that any use, dissemination, copying, or storage of this message or 
> its attachments is strictly prohibited.<OpenPGP_signature.asc>-- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to