CC: Tony Finch <dot@dotat.at>
MIME-Version: 1.0
X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
X-Cam-Antivirus: no malware found
content-type: TEXT/PLAIN; charset="utf-8"
Message-ID: <alpine.LSU.2.00.1406161335330.3035@hermes-1.csi.cam.ac.uk>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 28E8A2D20051 for <bind9-bugs@bugs.isc.org>; Mon, 16 Jun 2014 13:17:39 +0000 (UTC)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f50]) by mx.pao1.isc.org (Postfix) with ESMTP id D9A1D3493DB for <bind9-bugs@isc.org>; Mon, 16 Jun 2014 13:17:37 +0000 (UTC) (envelope-from fanf2@hermes.cam.ac.uk)
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:49439) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1WwWn1-0004O1-qm (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 16 Jun 2014 14:17:35 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WwWn1-0004L7-8R (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 16 Jun 2014 14:17:35 +0100
Delivered-To: bind9-bugs@bugs.isc.org
Subject: EDNS fail - problems resolving blog.rop.io IN AAAA
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: bind9-bugs@bugs.isc.org
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Date: Mon, 16 Jun 2014 14:17:35 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
To: bind9-bugs@isc.org
X-Cam-Scannerinfo: http://www.cam.ac.uk/cs/email/scanner/
From: Tony Finch <dot@dotat.at>
X-RT-Original-Encoding: US-ASCII
Content-Length: 4289

I am currently running git rev 06e0d6b plus trivial patches.

I have been trying to work out why I get a SERVFAIL resolving and
validating blog.rop.io IN AAAA

Named seems to go into a loop re-querying for dns2v6.cdns.net/A
and getting a truncated response. It does not fall back to TCP.
A similar thing happens for rop.io/DNSKEY.

I can only reproduce this response with 'dig' if I send a query without
EDNS. So the question is, why is named sending queries without EDNS?

It seems to be because the authority servers are a bit broken.

Early in the resolution process named made a query for blog.rop.io AAAA
and got a truncated response with a missing EDNS record and a missing TC
flag - see the first query/response pair below At this point it marked the
server as not supporting EDNS.

Similarly, when named queried for dns2v6.cdns.net/AAAA it got a response
without an EDNS packet. This does not seem to be due to truncation, but
rather a buggy EDNS implementation which drops the record if the buffer
size is 512 or less. See the second query/response pair below.



*** 1

; <<>> DiG 9.11.0pre-alpha <<>> -4 +qr +multiline +norec +dnssec +bufsize=512 blog.rop.io in aaaa @ns1.r4ns.com.
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9821
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;blog.rop.io.           IN AAAA

;; QUERY SIZE: 40

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9821
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;blog.rop.io.           IN AAAA

;; AUTHORITY SECTION:
rop.io.                 3600 IN SOA ns1.r4ns.com. info.egeektronic.com. (
                                2014061518 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
rop.io.                 3600 IN RRSIG SOA 7 2 3600 (
                                20140626000000 20140612000000 26739 rop.io.
                                gCmNnHyTtVLbgLDOKuVou9KexzhqBeHdLoqtN9KpGPmu
                                XHNYjk21RaFAi91ly1Z4JaiPSWk4dj+uZjUKtAde63np
                                OdPB0N3HYX/NPaaQ2fXIE9d7qYJAOy8tEaczxQIs5hkL
                                KBor61w4zrpypfI6uzcmqNWZ0mHibmTUumGYzwA= )
m44202ac9ca4jsqum1248sjcmff74004.rop.io. 3600 IN NSEC3 1 1 1 BEEF (
                                M44202AC9CA4JSQUM1248SJCMFF74005
                                A NS SOA MX TXT AAAA SSHFP RRSIG DNSKEY NSEC3PARAM )

;; Query time: 34 msec
;; SERVER: 176.124.112.100#53(176.124.112.100)
;; WHEN: Mon Jun 16 14:01:04 BST 2014
;; MSG SIZE  rcvd: 342

*** 2

; <<>> DiG 9.11.0pre-alpha <<>> +qr +multiline +ignore +norec +dnssec +bufsize=512 dns2v6.cdns.net in aaaa @194.0.1.1
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23456
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dns2v6.cdns.net.       IN AAAA

;; QUERY SIZE: 44

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23456
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dns2v6.cdns.net.       IN AAAA

;; ANSWER SECTION:
dns2v6.cdns.net.        86400 IN AAAA 2001:678:5::1
dns2v6.cdns.net.        86400 IN RRSIG AAAA 8 3 86400 (
                                20140712152242 20140607075037 1616 cdns.net.
                                n0/yzR0wAJZ/6P1QyALIbBenMYs+mYddGV9oSYNoB+UU
                                AS8IfHHpSBLSK+T27r/u8nMacJ26TvBQ3nYb5JcZGfHM
                                i2V6WjKoSs/Fs64Uz8GbiCX5pNUdsbZCN+3KbYFzh4Jn
                                Req223p88Lk2l9+itq8FYLElAV8V9r7p9UNDEB8= )

;; Query time: 36 msec
;; SERVER: 194.0.1.1#53(194.0.1.1)
;; WHEN: Mon Jun 16 14:14:13 BST 2014
;; MSG SIZE  rcvd: 229

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
German Bight: Northwest 5 to 7, veering north 4 or 5. Moderate or rough. Fair.
Good.