AXFR doesn't work due to additional www. lookup

[kpcyrd]

Describe the bug
I was trying to implement a zone transfer for a zone that I can transfer with dig, but can't transfer with trust-dns.

To Reproduce
Steps to reproduce the behavior:

dig +tcp axfr zonetransfer.me # this works
cargo build && RUST_LOG=debug target/debug/axfr # this doesn't

extern crate env_logger; // 0.6
extern crate trust_dns_proto; // 0.5.0
extern crate trust_dns_resolver; // 0.10.0

use trust_dns_proto::rr::record_type::RecordType;
use trust_dns_resolver::Resolver;
use trust_dns_resolver::config::{ResolverConfig,
                                 ResolverOpts,
                                 NameServerConfig,
                                 Protocol};


fn main() {
    env_logger::init();

    let mut ns = ResolverConfig::new();

    ns.add_name_server(NameServerConfig {
        socket_addr: "81.4.108.41:53".parse().unwrap(),
        protocol: Protocol::Tcp,
        tls_dns_name: None,
    });

    let opts = ResolverOpts::default();
    let resolver = Resolver::new(ns, opts).unwrap();

    let x = resolver.lookup("zonetransfer.me", RecordType::AXFR).expect("lookup");
    println!("{:?}", x);
}

Expected behavior
Successful AXFR reply

Actual behavior

DNS Error: Not authorized

This log indicates there are actually two lookups AXFR zonetransfer.me and AXFR www.zonetransfer.me. The 2nd one is incorrect, should not happen and causes this function call to fail. I might be missing an option here to disable www. lookups, if there is one, please point me to it. :)

[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer::dns_handle] querying: zonetransfer.me AXFR
[2018-11-27T20:43:24Z DEBUG trust_dns_resolver::name_server_pool] connecting: Tcp { socket_addr: V4(81.4.108.41:53), timeout: 5s }
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer] enqueueing message: [Query { name: Name { is_fqdn: false, labels: [zonetransfer, me] }, query_type: AXFR, query_class: IN }]
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] TCP connection established to: 81.4.108.41:53
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer::dns_exchange] connection established: TCP(81.4.108.41:53)
[2018-11-27T20:43:24Z INFO  trust_dns_proto::xfer::dns_exchange] sending message via: TCP(81.4.108.41:53)
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer::dns_multiplexer] sending message id: 65474
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] sending message len: 44 to: 81.4.108.41:53
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] in ReadTcpState::LenBytes: 0
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] got length: 1875
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] move ReadTcpState::Bytes: 1875
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] in ReadTcpState::Bytes: 1875
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] reset ReadTcpState::LenBytes: 0
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] returning bytes
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] returning buffer
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading SOA
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading MX
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading NS
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading NS
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading SRV
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading PTR
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading AAAA
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading NS
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading NS
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading AAAA
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading Unknown
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading CNAME
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading CNAME
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading A
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading TXT
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::rr::record_data] reading SOA
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer::dns_handle] querying: www.zonetransfer.me. AXFR
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer] enqueueing message: [Query { name: Name { is_fqdn: true, labels: [www, zonetransfer, me] }, query_type: AXFR, query_class: IN }]
[2018-11-27T20:43:24Z INFO  trust_dns_proto::xfer::dns_exchange] sending message via: TCP(81.4.108.41:53)
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::xfer::dns_multiplexer] sending message id: 19001
[2018-11-27T20:43:24Z DEBUG trust_dns_proto::tcp::tcp_stream] sending message len: 48 to: 81.4.108.41:53
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] in ReadTcpState::LenBytes: 0
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] got length: 48
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] move ReadTcpState::Bytes: 48
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] in ReadTcpState::Bytes: 48
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] reset ReadTcpState::LenBytes: 0
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] returning bytes
[2018-11-27T20:43:25Z DEBUG trust_dns_proto::tcp::tcp_stream] returning buffer
[2018-11-27T20:43:25Z DEBUG tokio_reactor] dropping I/O source: 0
thread 'main' panicked at 'lookup: ResolveError { inner: 

DNS Error: Not authorized }', libcore/result.rs:1009:5
note: Run with `RUST_BACKTRACE=1` for a backtrace.

Version:
Crate: resolver
Version: 0.10.0

[bluejekyll]

hm, I've never thought of the resolver being used for AXFR. The client, trust_dns crate, will support this, and is more intended for direct connections to DNS servers to perform actions like this.

The Resolver on the other hand is meant to resolve single records only, and probably should reject AXFR as a RecordType that can be queried. If there's a bug here, it's probably that the Resolver should just error out on AXFR requests.

As an addendum to this, we may have some edge cases around large zones in the current AXFR implementation in the library, there's an existing bug open on the server for large AXFR's, not sure how that applies to the client.

[kpcyrd]

@bluejekyll thanks for the pointer, the client in the trust-dns crate is a lot closer to what I was looking for! I refactored my code from trust-dns-resolver to trust-dns and got AXFR to work that way.

Regardless, is there a reason why the resolver is doing an automatic www. lookup? I can't think of a scenario in which that would be desired.

[bluejekyll]

is there a reason why the resolver is doing an automatic www. lookup?

Well, my assumption is that because AXFR isn’t intentionally supported by the resolver, some cname or srv logic was inadvertently triggered. But I didnt look to confirm this.