No AA flag set when using 'classless in-addr delegation' #589

Closed
Habbie opened this Issue Apr 26, 2013 · 6 comments

Projects

None yet

2 participants

@Habbie
Member
Habbie commented Apr 26, 2013

We've setup 'classless in-addr delegation' (RFC2317), when resolving IP addresss on our authoritative server that are delegated, we've noticed that no authoritative answer is given (the AA flag isn't set).

When resolving a IP address that isn't delegated, the AA flas is set.

Example:

################## Authoritative Server: ##################

C:\Users\bramb>dig -x 213.206.235.16 @ns.interconnect.nl

; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.16 @ns.interconnect.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26058
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;16.235.206.213.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.235.206.213.in-addr.arpa. 3600 IN    PTR     mail.smtp-service.nl.

;; Query time: 19 msec
;; SERVER: 212.83.192.5#53(212.83.192.5)
;; WHEN: Tue Oct 02 12:09:37 2012
;; MSG SIZE  rcvd: 79


C:\Users\bramb>dig -x 213.206.235.226 @ns.interconnect.nl

; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.226 @ns.interconnect.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33440
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;226.235.206.213.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
226.235.206.213.in-addr.arpa. 3600 IN   CNAME   226.224-255.235.206.213.in-addr.arpa.

;; AUTHORITY SECTION:
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns1.lemonweb.nl.
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns2.lemonweb.be.
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns3.lemonweb.eu.

;; Query time: 39 msec
;; SERVER: 212.83.192.5#53(212.83.192.5)
;; WHEN: Tue Oct 02 12:09:44 2012
;; MSG SIZE  rcvd: 159

################## Non-authoritative Server: ##################
C:\Users\bramb>dig -x 213.206.235.16

; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.16
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;16.235.206.213.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.235.206.213.in-addr.arpa. 3494 IN    PTR     mail.smtp-service.nl.

;; Query time: 22 msec
;; SERVER: 213.207.64.11#53(213.207.64.11)
;; WHEN: Tue Oct 02 12:11:02 2012
;; MSG SIZE  rcvd: 90


C:\Users\bramb>dig -x 213.206.235.226

; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.226
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34129
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;226.235.206.213.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
226.235.206.213.in-addr.arpa. 3600 IN   CNAME   226.224-255.235.206.213.in-addr.arpa.
226.224-255.235.206.213.in-addr.arpa. 300 IN PTR lemon20.lemonweb.nl.

;; AUTHORITY SECTION:
224-255.235.206.213.in-addr.arpa. 300 IN NS     ns1.lemonweb.nl.
224-255.235.206.213.in-addr.arpa. 300 IN NS     ns2.lemonweb.be.
224-255.235.206.213.in-addr.arpa. 300 IN NS     ns3.lemonweb.eu.

;; Query time: 47 msec
;; SERVER: 213.207.64.11#53(213.207.64.11)
;; WHEN: Tue Oct 02 12:11:05 2012
;; MSG SIZE  rcvd: 192

When using the www.mxtoolbox.com's ptr lookup tool, you'll get the following message: Warning: Received Non-Authoritative (lame) Answer from: 'ns.interconnect.nl'

The example at http://www.ripe.net/data-tools/dns/reverse-dns/how-to-set-up-reverse-delegation > Step 5 > Query Against an Authoritative Server, shows an AA flag is set.

@Habbie Habbie was assigned Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Found some RFC's about the authoritative answer:

http://www.ietf.org/rfc/rfc6604.txt

http://www.ietf.org/rfc/rfc1035.txt

I've also setup a quick 'n' dirty test with NSD, which does set the AA flag:
192.168.10.rev:

[...]
192-255.10.168.192.in-addr.arpa IN NS   nameserver1.nl.
192-255.10.168.192.in-addr.arpa IN NS   nameserver2.nl.
192-255.10.168.192.in-addr.arpa IN NS   nameserver3.nl.

192.192-255.10.168.192.in-addr.arpa IN CNAME 192-255.10.168.192.in-addr.arpa
193.192-255.10.168.192.in-addr.arpa IN CNAME 192-255.10.168.192.in-addr.arpa
[...]

dig @localhost -x 192.168.10.193
; <<>> DiG 9.8.1-P1 <<>> @localhost -x 192.168.10.193
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64855
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
@Habbie
Member
Habbie commented Apr 26, 2013

Author: ahu
Please show your pdns.conf, you are probably doing recursion. Please repeat your queries with 'dig +norecurs'.

We need to know what the problem is first.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
pdns.conf:

launch=opendbx
opendbx-backend=mssql

opendbx-host-read=<host>
opendbx-host-write=<host>

opendbx-port=3309
opendbx-database=<database>
opendbx-username=<user>
opendbx-password=<pass>

webserver=yes
webserver-port=80
webserver-address=0.0.0.0

recursor=127.0.0.1:53
max-tcp-connections=300

local-address=<localaddres>
local-ipv6=<localaddres>

log-failed-updates=off
log-dns-details=off

allow-recursion=<somesubnets>
allow-axfr-ips=<somesubnets>

pdns_recursor is listening on 127.0.0.1:53

################## Authoritative Server: ##################

C:\Users\bramb>dig +norec -x 213.206.235.16 @ns.interconnect.nl

; <<>> DiG 9.9.1-P2 <<>> +norec -x 213.206.235.16 @ns.interconnect.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22771
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;16.235.206.213.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.235.206.213.in-addr.arpa. 3600 IN    PTR     mail.smtp-service.nl.

;; Query time: 31 msec
;; SERVER: 212.83.192.5#53(212.83.192.5)
;; WHEN: Wed Oct 10 16:11:23 2012
;; MSG SIZE  rcvd: 79


C:\Users\bramb>dig +norec -x 213.206.235.226 @ns.interconnect.nl

; <<>> DiG 9.9.1-P2 <<>> +norec -x 213.206.235.226 @ns.interconnect.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33736
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;226.235.206.213.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
226.235.206.213.in-addr.arpa. 3600 IN   CNAME   226.224-255.235.206.213.in-addr.arpa.

;; AUTHORITY SECTION:
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns1.lemonweb.nl.
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns2.lemonweb.be.
224-255.235.206.213.in-addr.arpa. 3600 IN NS    ns3.lemonweb.eu.

;; Query time: 31 msec
;; SERVER: 212.83.192.5#53(212.83.192.5)
;; WHEN: Wed Oct 10 16:11:37 2012
;; MSG SIZE  rcvd: 159

################## Non-authoritative Server: ##################

C:\Users\bramb>dig +norec -x 213.206.235.16

; <<>> DiG 9.9.1-P2 <<>> +norec -x 213.206.235.16
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10453
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;16.235.206.213.in-addr.arpa.   IN      PTR

;; AUTHORITY SECTION:
.                       86208   IN      NS      l.root-servers.net.
.                       86208   IN      NS      g.root-servers.net.
.                       86208   IN      NS      d.root-servers.net.
.                       86208   IN      NS      f.root-servers.net.
.                       86208   IN      NS      i.root-servers.net.
.                       86208   IN      NS      j.root-servers.net.
.                       86208   IN      NS      b.root-servers.net.
.                       86208   IN      NS      e.root-servers.net.
.                       86208   IN      NS      c.root-servers.net.
.                       86208   IN      NS      h.root-servers.net.
.                       86208   IN      NS      m.root-servers.net.
.                       86208   IN      NS      a.root-servers.net.
.                       86208   IN      NS      k.root-servers.net.

;; ADDITIONAL SECTION:
l.root-servers.net.     86208   IN      A       199.7.83.42
g.root-servers.net.     86208   IN      A       192.112.36.4
d.root-servers.net.     86208   IN      A       128.8.10.90
d.root-servers.net.     86208   IN      AAAA    2001:500:2d::d
f.root-servers.net.     86208   IN      A       192.5.5.241
i.root-servers.net.     86208   IN      A       192.36.148.17
j.root-servers.net.     86208   IN      A       192.58.128.30
b.root-servers.net.     86208   IN      A       192.228.79.201
e.root-servers.net.     86208   IN      A       192.203.230.10
c.root-servers.net.     86208   IN      A       192.33.4.12
h.root-servers.net.     86208   IN      A       128.63.2.53
m.root-servers.net.     86208   IN      A       202.12.27.33
a.root-servers.net.     86208   IN      A       198.41.0.4
a.root-servers.net.     86208   IN      AAAA    2001:503:ba3e::2:30
k.root-servers.net.     86208   IN      A       193.0.14.129

;; Query time: 15 msec
;; SERVER: 213.207.64.11#53(213.207.64.11)
;; WHEN: Wed Oct 10 16:12:13 2012
;; MSG SIZE  rcvd: 735


C:\Users\bramb>dig +norec -x 213.206.235.226

; <<>> DiG 9.9.1-P2 <<>> +norec -x 213.206.235.226
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6433
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;226.235.206.213.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
226.235.206.213.in-addr.arpa. 3052 IN   CNAME   226.224-255.235.206.213.in-addr.arpa.

;; Query time: 15 msec
;; SERVER: 213.207.64.11#53(213.207.64.11)
;; WHEN: Wed Oct 10 16:12:42 2012
;; MSG SIZE  rcvd: 83
@Habbie
Member
Habbie commented Mar 24, 2014

http://tools.ietf.org/html/rfc6604#section-2.1 confirms that we should be setting AA here

@Habbie
Member
Habbie commented Sep 30, 2014

Can confirm we deviate from BIND here:

--- ./tests/cname-to-referral/expected_result   2014-09-19 12:15:21.968480088 +0000
+++ ./tests/cname-to-referral/real_result   2014-09-30 13:36:15.284890110 +0000
@@ -1,5 +1,5 @@
 0  server1.example.com.    IN  CNAME   120 server1.france.example.com.
 1  france.example.com. IN  NS  120 ns1.otherprovider.net.
 1  france.example.com. IN  NS  120 ns2.otherprovider.net.
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='server1.example.com.', qtype=A

the AA:1 is from BIND 9.9.5

@Habbie Habbie added a commit to Habbie/pdns that referenced this issue Sep 30, 2014
@Habbie Habbie set AA on CNAME into referral, fixes #589 95c7970
@Habbie Habbie closed this in d2323cd Nov 27, 2014
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 29, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 4356b8f
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 29, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 e23bf78
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 30, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 8b9a4b6
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 30, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 0d24c2e
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 30, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 cfcb016
@mind04 mind04 added a commit to mind04/pdns that referenced this issue Apr 30, 2015
@Habbie @mind04 Habbie + mind04 set AA on CNAME into referral, fixes #589 55b0653
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment