"dig" from BIND 9.18.0 does not recover from a isc_nm_udpconnect() failure
Summary
Using the dig-utility from BIND-9.18.0 (self-compiled), I see a curious behavior when using the "+trace"-option. The dig-tool does in most cases just queries the local resolver for the root-servers and does not follow the delegations:
$ /usr/local/bind-9.18.0/bin/dig @127.0.0.1 +trace www.isc.org
; <<>> DiG 9.18.0 <<>> @127.0.0.1 +trace www.isc.org
; (1 server found)
;; global options: +cmd
. 514551 IN NS m.root-servers.net.
. 514551 IN NS c.root-servers.net.
. 514551 IN NS a.root-servers.net.
. 514551 IN NS i.root-servers.net.
. 514551 IN NS l.root-servers.net.
. 514551 IN NS k.root-servers.net.
. 514551 IN NS e.root-servers.net.
. 514551 IN NS d.root-servers.net.
. 514551 IN NS h.root-servers.net.
. 514551 IN NS f.root-servers.net.
. 514551 IN NS g.root-servers.net.
. 514551 IN NS b.root-servers.net.
. 514551 IN NS j.root-servers.net.
. 514551 IN RRSIG NS 8 0 518400 20220221050000 20220208040000 9799 . fa3vdWBzC56rEdTkuEVhCX2iALLBoYn2H29psjgHC5wPv0ws6wqrC8yG jKJgWRS3xS92NJy8RsrTiv/K+tRoC0AxgQ1kcFJ6UKyfuSuYEkXEOpnk cqQhEHxDVBN7eBQ6mdIuJ/rTzoBJ8PCIW75aHv+OH/3Qt/tf74nZnH0s rptFsc7/d/O56FIu2bzBojBxdi5FUA8fzffKP9eQfyN8wMAyLXfwUtDw LkyAQZMGeTTLA1qWOV0DK8sTBS+YJwOz1PPcQFyDbU9PG6hbXjvBXINg 1v1+17/3knkhICiL8FN4ylEHj8YVMrFNtzhlIipXwy/V/SEhKsHgyJHv BNAhWw==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 1 msIn few tries/situations, dig (9.18.0) begins iterating through the dns-hierarchy, but in the most cases, dig stops after querying the local resolver or after iterating one or two steps. I've rarely seen, that dig-9.18.0 finished through the end (the final authoritative server).
$ /usr/local/bind-9.18.0/bin/dig @127.0.0.1 +trace www.isc.org
; <<>> DiG 9.18.0 <<>> @127.0.0.1 +trace www.isc.org
; (1 server found)
;; global options: +cmd
. 514510 IN NS l.root-servers.net.
. 514510 IN NS h.root-servers.net.
. 514510 IN NS f.root-servers.net.
. 514510 IN NS c.root-servers.net.
. 514510 IN NS e.root-servers.net.
. 514510 IN NS b.root-servers.net.
. 514510 IN NS k.root-servers.net.
. 514510 IN NS d.root-servers.net.
. 514510 IN NS g.root-servers.net.
. 514510 IN NS a.root-servers.net.
. 514510 IN NS i.root-servers.net.
. 514510 IN NS j.root-servers.net.
. 514510 IN NS m.root-servers.net.
. 514510 IN RRSIG NS 8 0 518400 20220221050000 20220208040000 9799 . fa3vdWBzC56rEdTkuEVhCX2iALLBoYn2H29psjgHC5wPv0ws6wqrC8yG jKJgWRS3xS92NJy8RsrTiv/K+tRoC0AxgQ1kcFJ6UKyfuSuYEkXEOpnk cqQhEHxDVBN7eBQ6mdIuJ/rTzoBJ8PCIW75aHv+OH/3Qt/tf74nZnH0s rptFsc7/d/O56FIu2bzBojBxdi5FUA8fzffKP9eQfyN8wMAyLXfwUtDw LkyAQZMGeTTLA1qWOV0DK8sTBS+YJwOz1PPcQFyDbU9PG6hbXjvBXINg 1v1+17/3knkhICiL8FN4ylEHj8YVMrFNtzhlIipXwy/V/SEhKsHgyJHv BNAhWw==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org. 86400 IN RRSIG DS 8 1 86400 20220221050000 20220208040000 9799 . S8iG14jGn8yS3WsOFOmuRT1omQto8Lwx5mpzTe81Wr3qny2i5NcIbmIj aionGUWQwgxax6lMApHaWHDsq8l2bkodRdRrFZGcQnA2spaQVDUbGJT4 nQxHUL7L7IRw5Vflm8p1EO7EZLV7aKW69dsIDEeuYPp31J3cemjCzD3X e3bHYQKwtrvDz2TVVTaGzMZsgdH0WV+xuJRqV8p1YshbxDE8T+hvXsyF GeL0Sun6ioXfq5lWNfH/hI5hmmMoxoPPppgmNZ5l2Kl5PxzXGYaK832R Kp9Nx8yVRYbAfFhxwC6J2HMPDka+o6lYOCTBhyqkJ+33rk5NH+IGml9k 6mepog==
;; Received 777 bytes from 192.203.230.10#53(e.root-servers.net) in 2 msIt doesn't matter which address/record I try to resolve (www.google.com, www.microsoft.com, www.switch.ch...).
Using a dig older than 9.18.0 (from version 9.11.26 in that case) on the same server and using initially the same server (@127.0.0.1), then this version always iterates to the final authoritative server:
$ /usr/bin/dig @127.0.0.1 +trace www.isc.org
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @127.0.0.1 +trace www.isc.org
; (1 server found)
;; global options: +cmd
. 514368 IN NS g.root-servers.net.
. 514368 IN NS h.root-servers.net.
. 514368 IN NS l.root-servers.net.
. 514368 IN NS b.root-servers.net.
. 514368 IN NS e.root-servers.net.
. 514368 IN NS d.root-servers.net.
. 514368 IN NS k.root-servers.net.
. 514368 IN NS f.root-servers.net.
. 514368 IN NS m.root-servers.net.
. 514368 IN NS c.root-servers.net.
. 514368 IN NS a.root-servers.net.
. 514368 IN NS j.root-servers.net.
. 514368 IN NS i.root-servers.net.
. 514368 IN RRSIG NS 8 0 518400 20220221050000 20220208040000 9799 . fa3vdWBzC56rEdTkuEVhCX2iALLBoYn2H29psjgHC5wPv0ws6wqrC8yG jKJgWRS3xS92NJy8RsrTiv/K+tRoC0AxgQ1kcFJ6UKyfuSuYEkXEOpnk cqQhEHxDVBN7eBQ6mdIuJ/rTzoBJ8PCIW75aHv+OH/3Qt/tf74nZnH0s rptFsc7/d/O56FIu2bzBojBxdi5FUA8fzffKP9eQfyN8wMAyLXfwUtDw LkyAQZMGeTTLA1qWOV0DK8sTBS+YJwOz1PPcQFyDbU9PG6hbXjvBXINg 1v1+17/3knkhICiL8FN4ylEHj8YVMrFNtzhlIipXwy/V/SEhKsHgyJHv BNAhWw==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org. 86400 IN RRSIG DS 8 1 86400 20220221050000 20220208040000 9799 . S8iG14jGn8yS3WsOFOmuRT1omQto8Lwx5mpzTe81Wr3qny2i5NcIbmIj aionGUWQwgxax6lMApHaWHDsq8l2bkodRdRrFZGcQnA2spaQVDUbGJT4 nQxHUL7L7IRw5Vflm8p1EO7EZLV7aKW69dsIDEeuYPp31J3cemjCzD3X e3bHYQKwtrvDz2TVVTaGzMZsgdH0WV+xuJRqV8p1YshbxDE8T+hvXsyF GeL0Sun6ioXfq5lWNfH/hI5hmmMoxoPPppgmNZ5l2Kl5PxzXGYaK832R Kp9Nx8yVRYbAfFhxwC6J2HMPDka+o6lYOCTBhyqkJ+33rk5NH+IGml9k 6mepog==
;; Received 811 bytes from 192.36.148.17#53(i.root-servers.net) in 11 ms
isc.org. 86400 IN NS ns2.isc.org.
isc.org. 86400 IN NS ns.isc.afilias-nst.info.
isc.org. 86400 IN NS ns1.isc.org.
isc.org. 86400 IN NS ns3.isc.org.
isc.org. 86400 IN DS 7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
isc.org. 86400 IN RRSIG DS 8 2 86400 20220222152200 20220201142200 7986 org. cFxS3wGUhe85mBa6JNo7T0Z1KdpKoi9KeWEJtp8EKGfQp0PGBGWWrWwf oz+hH34L8ttXY5n+54VBo2C8O3cp/g95totmdQezCyoZYDCvRqaGEplp yjJCWY/KaRJ4KcHlkZ6LIt1JOs+eoH4njTfV9l8XYBpVIqYaNFSwMKbf lwE=
;; Received 446 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 20 ms
www.isc.org. 300 IN CNAME dualstack.osff2.map.fastly.net.
www.isc.org. 300 IN RRSIG CNAME 13 3 300 20220309140450 20220207132719 27566 isc.org. QRsTnA1etMEBeA/txjOtLVIQXHSo22uuBQNUsIQXkN6j8njRVZ1iEYsV JVgG1f0R2QwNRomK23G9EcvGPaBCcw==
;; Received 215 bytes from 199.6.1.52#53(ns2.isc.org) in 13 msBIND version used
9.18.0
Steps to reproduce
Using the latest dig:
/usr/local/bind-9.18.0/bin/dig @127.0.0.1 +trace www.isc.orgWhat is the current bug behavior?
The utility does not iterates to the final authoritative server and queries this server for the requested resource record.
What is the expected correct behavior?
An answer for the requested RR from the final authoritative server like it works with dig 9.11.26 (for example).