X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.27 Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id C9AD92D20571 for ; Tue, 19 Aug 2014 11:05:18 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.redhat.com", Issuer "Red Hat IS CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id EF5481FCB02 for ; Tue, 19 Aug 2014 11:05:11 +0000 (UTC) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s7JB596t028951 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 19 Aug 2014 07:05:09 -0400 Received: from [10.34.4.126] (unused-4-126.brq.redhat.com [10.34.4.126]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s7JB58Gq011624 for ; Tue, 19 Aug 2014 07:05:09 -0400 Delivered-To: bind9-bugs@bugs.isc.org Subject: BIND returns inconsistent data from cache for DS records MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Tue, 19 Aug 2014 13:05:07 +0200 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org content-type: text/plain; charset="utf-8" Message-ID: <53F32F63.40306@redhat.com> To: bind9-bugs@isc.org Content-Transfer-Encoding: 7bit From: Tomas Hozza X-RT-Original-Encoding: ISO-8859-1 Content-Length: 2043 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello. We discovered a inconsistent BIND behavior when querying it for DS records. The response differs if BIND was queried for a different type of record for the same domain name. I reproduced this with BIND 9.9.4 on Fedora 20. I may try the latest BIND 9.10 beta version. The BIND was configured with: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside no; When running: 1. rndc flush 2. dig jsonformat.com @127.0.0.1 +dnssec -t A +cdflag 3. dig jsonformat.com @127.0.0.1 +dnssec -t DS +cdflag 4. dig jsonformat.com @127.0.0.1 +dnssec -t DS +nocdflag I get different answer in (3.) and (4.). When running: 1. rndc flush 2. dig jsonformat.com @127.0.0.1 +dnssec -t A +nocdflag 3. dig jsonformat.com @127.0.0.1 +dnssec -t DS +cdflag 4. dig jsonformat.com @127.0.0.1 +dnssec -t DS +nocdflag or if the (2.) is omitted completely I get the same response in (3.) and (4.). It seems like BIND will cache something wrong when doing the first query with CD flag set, that makes it to answer inconsistently later on. This behavior is causing validation to fail when such BIND is used as a forwarder. I'm going to debug BIND to see what's happening. I know it will be like looking for needle in a haystack, that's why I'm reporting it to you before I have any more clues. I would appreciate any hints where to look for the cause. Thank you in advance. Regards, - -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJT8y9jAAoJEMWIetUdnzwtqt8H/iBCEL7xNGyCcCYu8t+llvwM RBgwpb0ArJVxRO2C37zxHzuNxVVpS9yKk7fi8/fKd4F/Aub1mToCxG6kbx0H437i kiBTkRI8qAVfBrXGdvKq3V6L01REB/PZtRMdmHjyj/4g63MC9qnvFmaugEg4TMaR mzvEI+0JrsoJs91d2en3EUC2gYY6YkTuZZjn1XzOET+/rYitFsd7lZ3Rey5yGJIM GJQpl3zL0uwjrlg4M16EGP18anyDZMfiBds98A9DbQOU5shIHfm4kFZxbJ3SOd2c yjvVc+9+VR1gou9GEHY9UKKI6Ey5jfxz5KnjqHcaVJ/0OrU9MnesDFJ6Nsp4PDc= =juDf -----END PGP SIGNATURE-----