Domain not resolved when DNSSEC is enabled.

[javier7570]

Describe the bug
I have Unbound with DNSSEC installed. In the configuration I only enabled the option:

auto-trust-anchor-file: /usr/local/etc/unbound/root/anchor/root.key

The rest of the config parameters have their default values.
I send a request to resolve the domain ww.gonzaga.org (Note that there is an error in the URL). I receive the following response:

drill +dnssec +tries=0 @<server> ww.gonzaga.org

;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 32027
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; ww.gonzaga.org.      IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
gonzaga.org.    3600    IN      SOA     NS55.WORLDNIC.COM. namehost.WORLDNIC.COM. 122101914 10800 3600 604800 3600

;; ADDITIONAL SECTION:

;; Query time: 132 msec
;; SERVER: 34.243.234.109
;; WHEN: Wed Jan 11 14:33:53 2023
;; MSG SIZE  rcvd: 94

This is correct because the URL was wrong and the domain doesn't exist.

But now if I try to resolve the correct domain (www.gonzaga.org), I receive the same response although in this case the domain exists:

drill +dnssec +tries=0 @<server> ww.gonzaga.org

;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 57805
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.gonzaga.org.     IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
gonzaga.org.    3595    IN      SOA     NS55.WORLDNIC.COM. namehost.WORLDNIC.COM. 122101914 10800 3600 604800 3600

;; ADDITIONAL SECTION:

;; Query time: 20 msec
;; SERVER: 34.243.234.109
;; WHEN: Wed Jan 11 14:37:23 2023
;; MSG SIZE  rcvd: 95

I have checked with tcpdump that Unbound is using the cached value from the first query I've made, although I am trying to resolve a different domain.

When DNSSEC is not configured in this second case I see the correct response:

 drill +dnssec +tries=0 @<server> www.gonzaga.org

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22389
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.gonzaga.org.     IN      A

;; ANSWER SECTION:
www.gonzaga.org.        7200    IN      CNAME   gonzaga.onmessage.whipplehillsites.com.
gonzaga.onmessage.whipplehillsites.com. 300     IN      CNAME   bbk12e1-cms-shieldv2.myschoolcdn.com.
bbk12e1-cms-shieldv2.myschoolcdn.com.   60      IN      A       54.209.77.18
bbk12e1-cms-shieldv2.myschoolcdn.com.   60      IN      A       54.209.169.55
bbk12e1-cms-shieldv2.myschoolcdn.com.   60      IN      A       52.21.193.100

;; AUTHORITY SECTION:
myschoolcdn.com.        86400   IN      NS      ns-399.awsdns-49.com.
myschoolcdn.com.        86400   IN      NS      ns-670.awsdns-19.net.
myschoolcdn.com.        86400   IN      NS      ns-1127.awsdns-12.org.
myschoolcdn.com.        86400   IN      NS      ns-1793.awsdns-32.co.uk.

;; ADDITIONAL SECTION:

;; Query time: 217 msec
;; SERVER: 34.243.234.109
;; WHEN: Wed Jan 11 14:49:10 2023
;; MSG SIZE  rcvd: 314

I have seen that if I remove the module validator in the configuration option module-config, the problem doesn't happen.

To reproduce
Steps to reproduce the behavior:

1. Start Unbound.
2. Make a DNS query for the domain ww.gonzaga.org (wrong URL)
3. Make another DNS query for www.gonzaga.org (correct URL)

Expected behavior
The expected behavior is that in the second query for www.gonzaga.org, this domain should be resolved as indicated above when DNSSEC is not enabled, instead of returning NXDOMAIN.

System:

• Unbound version: 1.16.2
• OS: FreeBSD 13.0 (also happens in Ubuntu 22.04.1)
• unbound -V output:

Version 1.16.2

Configure line:
Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1m  14 Dec 2021
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information
Add any other information that you may have gathered about the issue here.

[gthess]

Hi,

I can't reproduce here as I get answers on both queries (with DNSSEC; ww of course returns NXDOMAIN).
The only problem that I see is that onmessage.whipplehillsites.com returns NXDOMAIN and that would prevent resolution if both

qname-minimisation: yes
qname-minimisation-strict: yes

are used (not by default).

Not sure why DNSSEC does not work for you; maybe you are getting different answers in your network?
Could it be that the answer you are getting messes up with the NSEC chain and aggressive-nsec: yes (default) concludes that there is no www subdomain? That matches with the observation that you see no outgoing traffic for the second query. In that case you could try with aggressive-nsec: no.

Also increasing verbosity to 4 and trying the same steps could give more insight.

[javier7570]

Hi,

If I set aggressive-nsec: no, everything works well.

Thank you very much for your help.

[gthess]

That's good to hear; I do think though that you get a wrong NSEC answer in your case(network) that covers (wrongly) the existing www subdomain.