New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rec: Do not allow direct queries for RRSIG or NSEC3 #5738

Merged
merged 1 commit into from Sep 29, 2017

Conversation

Projects
None yet
3 participants
@rgacogne
Member

rgacogne commented Sep 27, 2017

Short description

As pointed out in #5735, the recursor has an interesting issue when handling a direct query for the RRSIG type. It would send a query to the corresponding authoritative server and assume that a NOTIMPL answer, as sent for example by PowerDNS 4.0.x, is an indication that this server does not support EDNS.
Since it does not make a lot of sense to directly ask for RRSIG or NSEC3 records anyway, let's just refuse those queries as we already do for AXFR and IXFR.

One thing to ponder is that the current code sends a ServFail answer for AXFR and IXFR, and that feels wrong. Perhaps REFUSED would be more suited?

Fixes #5735.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne rgacogne added this to the rec-4.1.0 milestone Sep 27, 2017

@pieterlexis

This comment has been minimized.

Show comment
Hide comment
@pieterlexis

pieterlexis Sep 27, 2017

Member

Perhaps drop direct NSEC queries as well?

Member

pieterlexis commented Sep 27, 2017

Perhaps drop direct NSEC queries as well?

@Habbie

Habbie approved these changes Sep 29, 2017

@Habbie

This comment has been minimized.

Show comment
Hide comment
@Habbie

Habbie Sep 29, 2017

Member

One thing to ponder is that the current code sends a ServFail answer for AXFR and IXFR, and that feels wrong. Perhaps REFUSED would be more suited?

BIND sends NOTAUTH (because it could be, software-wise). 8.8.8.8 sends ServFail. Unbound sends REFUSED. Knot gives NOTIMP.

Member

Habbie commented Sep 29, 2017

One thing to ponder is that the current code sends a ServFail answer for AXFR and IXFR, and that feels wrong. Perhaps REFUSED would be more suited?

BIND sends NOTAUTH (because it could be, software-wise). 8.8.8.8 sends ServFail. Unbound sends REFUSED. Knot gives NOTIMP.

@rgacogne

This comment has been minimized.

Show comment
Hide comment
@rgacogne

rgacogne Sep 29, 2017

Member

BIND sends NOTAUTH (because it could be, software-wise). 8.8.8.8 sends ServFail. Unbound sends REFUSED. Knot gives NOTIMP.

NOTAUTH seems a bit misleading, one could assume we looked at the qname and found we are not authoritative for it. NOTIMP has caused issues with EDNS-awareness detection in the past. REFUSED looks marginally better to me than ServFail but given that it means changing the current behavior, perhaps we should stick with ServFail.

Member

rgacogne commented Sep 29, 2017

BIND sends NOTAUTH (because it could be, software-wise). 8.8.8.8 sends ServFail. Unbound sends REFUSED. Knot gives NOTIMP.

NOTAUTH seems a bit misleading, one could assume we looked at the qname and found we are not authoritative for it. NOTIMP has caused issues with EDNS-awareness detection in the past. REFUSED looks marginally better to me than ServFail but given that it means changing the current behavior, perhaps we should stick with ServFail.

@Habbie

This comment has been minimized.

Show comment
Hide comment
@Habbie

Habbie Sep 29, 2017

Member

Yes - NOTIMP is wrong. NOTAUTH is 'correct' but indeed a bit misleading. I am fine with sticking with ServFail.

Member

Habbie commented Sep 29, 2017

Yes - NOTIMP is wrong. NOTAUTH is 'correct' but indeed a bit misleading. I am fine with sticking with ServFail.

@rgacogne rgacogne merged commit 3be8c2c into PowerDNS:master Sep 29, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@rgacogne rgacogne deleted the rgacogne:rec-servfail-on-direct-rrsig-nsec3 branch Sep 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment