BIND does not iterate over the authoritative nameservers, if the first (or one) responds with a FORMERR
Summary
BIND stops iterating/querying over the list of authoritative nameserver for a domain, if it reaches one, which responds with a FORMERR or misbehaves in another way (lame-server). This misleads then to a SERVFAIL response.
BIND version used
9.18.0
Steps to reproduce
BIND-9.18.0
$ dig @127.0.0.1 www.owkb.ch
; <<>> DiG 9.18.0 <<>> @127.0.0.1 www.owkb.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36528
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6aa7ff83c845470901000000620b7d343b1a9d8a88fbf0d9 (good)
;; QUESTION SECTION:
;www.owkb.ch. IN A
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Feb 15 11:15:16 CET 2022
;; MSG SIZE rcvd: 68BIND is logging the following message:
15-Feb-2022 11:33:07.667 resolver: notice: DNS format error from 77.109.136.195#53 resolving owkb.ch/DNSKEY for <unknown>: server sent FORMERR
15-Feb-2022 11:33:07.667 lame-servers: info: broken trust chain resolving 'www.owkb.ch/A/IN': 185.206.180.142#53But in the case above, when BIND would try to reach all authoritative servers (and not just stops after the misbehaving ones), then it should be able to verify DNSSEC and responds properly back to the client.
See the ouput from 9.16.25 below:
BIND-9.16.25
$ dig @127.0.0.1 www.owkb.ch
; <<>> DiG 9.16.25 <<>> @127.0.0.1 www.owkb.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39897
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 273929569b369f3d01000000620b7d7914c334213c48199b (good)
;; QUESTION SECTION:
;www.owkb.ch. IN A
;; ANSWER SECTION:
www.owkb.ch. 600 IN A 45.81.71.30
;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 15 11:16:25 CET 2022
;; MSG SIZE rcvd: 84What is the current bug behavior?
To point out, where/what the problem could be:
Getting a list of all authoritative NS for "owkb.ch"
$ dig @a.nic.ch +norec +noall +add ns owkb.ch | grep -v AAAA
ns4.securedns.ch. 3600 IN A 185.206.180.142
ns3.securedns.ch. 3600 IN A 77.109.136.195
ns2.securedns.ch. 3600 IN A 91.194.196.37
ns1.securedns.ch. 3600 IN A 91.194.196.36FORMERR with cookies for server 91.194.196.36
$ dig @91.194.196.36 +noall +comments +norec www.owkb.ch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 24006
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e19b7e7d84c089e4 (echoed)FORMERR with cookies for server 91.194.196.37
$ dig @91.194.196.37 +noall +comments +norec www.owkb.ch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 2743
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56e9d26b88d25fe1 (echoed)FORMERR with cookies for server 77.109.136.195
$ dig @77.109.136.195 +noall +comments +norec www.owkb.ch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44738
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6f279bcb6f849430 (echoed)Response OK (with cookies) for server 185.206.180.142
$ dig @185.206.180.142 +noall +comments +norec www.owkb.ch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9053
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096In the case above, only the authoritative server with the IP address "185.206.180.142" works properly with Cookies.
But: When I query a misbehaving server without cookies, then I got proper answer:
Querying a misbehaving server without cookies
$ dig @91.194.196.36 +noall +comments +norec +nocookie www.owkb.ch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61017
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 400So, the current issue and my assumption now is (as a difference to BIND-9.16.25, where this worked well) that BIND-9.18.0 doesn't re-query the authoritative servers without EDNS/Cookies and doesn't iterate over the nameserver, if one responds with a failure. I agree, that only one of the mentioned four authoritative nameserver is working properly here, but I'm not sure, if BIND's behavior here is correct.
What is the expected correct behavior?
The 9.16.25-behavior. I'm, expecting, that BIND should iterate over the NS-RRset and should try to query all authoritative nameservers.
Relevant configuration files
To prove my assumption, please have a look to the following snippets:
resolution_not_working.txt: Trace from a freshly started BIND-9.18.0, where we can see, that BIND-9.18.0 doesn't query the other authoritative nameservers, when it receives a FORMERR
resolution_not_working.txt
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.236.1 10.100.102.21 DNS 94 Standard query 0x4c24 A www.owkb.ch OPT
2 0.000697 10.100.102.21 199.7.83.42 DNS 87 Standard query 0x1f0c A _.ch OPT
3 0.006673 199.7.83.42 10.100.102.21 DNS 714 Standard query response 0x1f0c A _.ch NS a.nic.ch NS b.nic.ch NS d.nic.ch NS e.nic.ch NS f.nic.ch DS RRSIG A 130.59.31.41 A 130.59.31.43 A 194.0.25.39 A 194.0.17.1 A 194.146.106.10 AAAA 2001:620:0:ff::56 AAAA 2001:620:0:ff::58 AAAA 2001:678:20::39 AAAA 2001:678:3::1 AAAA 2001:67c:1010:2::53 OPT
4 0.007058 10.100.102.21 194.0.17.1 DNS 92 Standard query 0xb956 A _.owkb.ch OPT
5 0.008952 194.0.17.1 10.100.102.21 DNS 486 Standard query response 0xb956 A _.owkb.ch NS ns3.securedns.ch NS ns1.securedns.ch NS ns2.securedns.ch NS ns4.securedns.ch DS RRSIG A 185.206.180.142 A 77.109.136.195 A 91.194.196.37 A 91.194.196.36 AAAA 2001:1620:20ad:200::37 AAAA 2a01:6980:aca9:100::22 AAAA 2a01:6980:aca9:100::21 OPT
6 0.009227 10.100.102.21 91.194.196.36 DNS 94 Standard query 0x558d A www.owkb.ch OPT
7 0.012826 91.194.196.36 10.100.102.21 DNS 94 Standard query response 0x558d Format error A www.owkb.ch OPT
8 0.013053 10.100.102.21 192.168.236.1 DNS 110 Standard query response 0x4c24 Server failure A www.owkb.ch OPTresolution_working.txt: Trace from a freshly started BIND-9.16.25, where we can see, that BIND-9.16.25 does query the other authoritative nameserver and also query without EDNS, when a FORMERR is received.
resolution_working.txt
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.236.1 10.100.102.21 DNS 94 Standard query 0xb2e0 A www.owkb.ch OPT
2 0.000474 10.100.102.21 199.7.91.13 DNS 87 Standard query 0xe325 A _.ch OPT
3 0.002459 199.7.91.13 10.100.102.21 DNS 542 Standard query response 0xe325 A _.ch NS a.nic.ch NS b.nic.ch NS d.nic.ch NS e.nic.ch NS f.nic.ch DS RRSIG A 130.59.31.41 A 130.59.31.43 A 194.0.25.39 OPT
4 0.003004 10.100.102.21 130.59.31.41 DNS 92 Standard query 0xa6d6 A _.owkb.ch OPT
5 0.003030 10.100.102.21 192.112.36.4 DNS 91 Standard query 0x1bc1 A e.nic.ch OPT
6 0.003081 10.100.102.21 192.112.36.4 DNS 91 Standard query 0xb193 A f.nic.ch OPT
7 0.005370 130.59.31.41 10.100.102.21 DNS 458 Standard query response 0xa6d6 A _.owkb.ch NS ns3.securedns.ch NS ns1.securedns.ch NS ns2.securedns.ch NS ns4.securedns.ch DS RRSIG A 185.206.180.142 A 77.109.136.195 A 91.194.196.37 A 91.194.196.36 AAAA 2001:1620:20ad:200::37 AAAA 2a01:6980:aca9:100::22 AAAA 2a01:6980:aca9:100::21 OPT
8 0.006457 10.100.102.21 91.194.196.37 DNS 94 Standard query 0xc8f7 A www.owkb.ch OPT
9 0.010055 91.194.196.37 10.100.102.21 DNS 94 Standard query response 0xc8f7 Format error A www.owkb.ch OPT
10 0.010413 10.100.102.21 91.194.196.37 DNS 71 Standard query 0xa777 A www.owkb.ch
11 0.013931 91.194.196.37 10.100.102.21 DNS 87 Standard query response 0xa777 A www.owkb.ch A 45.81.71.30
12 0.014416 10.100.102.21 130.59.31.43 DNS 85 Standard query 0x255b DNSKEY ch OPT
13 0.019445 130.59.31.43 10.100.102.21 DNS 411 Standard query response 0x255b DNSKEY ch DNSKEY DNSKEY DNSKEY RRSIG OPT
14 0.020095 192.112.36.4 10.100.102.21 DNS 554 Standard query response 0x1bc1 A e.nic.ch NS f.nic.ch NS e.nic.ch NS b.nic.ch NS d.nic.ch NS a.nic.ch DS RRSIG A 194.0.17.1 A 194.146.106.10 OPT
15 0.020215 192.112.36.4 10.100.102.21 DNS 554 Standard query response 0xb193 A f.nic.ch NS a.nic.ch NS b.nic.ch NS f.nic.ch NS e.nic.ch NS d.nic.ch DS RRSIG A 194.146.106.10 A 194.0.17.1 OPT
16 0.020515 10.100.102.21 91.194.196.36 DNS 94 Standard query 0xcb0f DS www.owkb.ch OPT
17 0.020753 10.100.102.21 194.146.106.10 DNS 91 Standard query 0x8afc A e.nic.ch OPT
18 0.020891 10.100.102.21 194.146.106.10 DNS 91 Standard query 0x4113 A f.nic.ch OPT
19 0.024610 91.194.196.36 10.100.102.21 DNS 94 Standard query response 0xcb0f Format error DS www.owkb.ch OPT
20 0.024855 10.100.102.21 91.194.196.36 DNS 71 Standard query 0xaf3f DS www.owkb.ch
21 0.028338 91.194.196.36 10.100.102.21 DNS 144 Standard query response 0xaf3f DS www.owkb.ch SOA ns1.securedns.ch
22 0.028730 10.100.102.21 185.206.180.142 DNS 94 Standard query 0x000d DS www.owkb.ch OPT
23 0.031501 194.146.106.10 10.100.102.21 DNS 221 Standard query response 0x8afc A e.nic.ch A 194.0.17.1 RRSIG OPT
24 0.031634 194.146.106.10 10.100.102.21 DNS 221 Standard query response 0x4113 A f.nic.ch A 194.146.106.10 RRSIG OPT
25 0.055298 185.206.180.142 10.100.102.21 DNS 82 Standard query response 0x000d DS www.owkb.ch OPT
26 0.055582 10.100.102.21 185.206.180.142 TCP 66 33505 → 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
27 0.082008 185.206.180.142 10.100.102.21 TCP 66 53 → 33505 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
28 0.082055 10.100.102.21 185.206.180.142 TCP 54 33505 → 53 [ACK] Seq=1 Ack=1 Win=29312 Len=0
29 0.082222 10.100.102.21 185.206.180.142 DNS 108 Standard query 0x5f79 DS www.owkb.ch OPT
30 0.108949 185.206.180.142 10.100.102.21 TCP 60 53 → 33505 [ACK] Seq=1 Ack=55 Win=29312 Len=0
31 0.109262 185.206.180.142 10.100.102.21 DNS 592 Standard query response 0x5f79 DS www.owkb.ch SOA ns1.securedns.ch RRSIG NSEC3 RRSIG OPT
32 0.109283 10.100.102.21 185.206.180.142 TCP 54 33505 → 53 [ACK] Seq=55 Ack=539 Win=30336 Len=0
33 0.109695 10.100.102.21 185.206.180.142 TCP 54 33505 → 53 [FIN, ACK] Seq=55 Ack=539 Win=30336 Len=0
34 0.109863 10.100.102.21 77.109.136.195 DNS 90 Standard query 0x8060 DNSKEY owkb.ch OPT
35 0.112018 77.109.136.195 10.100.102.21 DNS 90 Standard query response 0x8060 Format error DNSKEY owkb.ch OPT
36 0.112283 10.100.102.21 77.109.136.195 DNS 67 Standard query 0x6eef DNSKEY owkb.ch
37 0.114336 77.109.136.195 10.100.102.21 DNS 491 Standard query response 0x6eef DNSKEY owkb.ch DNSKEY DNSKEY
38 0.114612 10.100.102.21 77.109.136.195 TCP 66 52793 → 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
39 0.116673 77.109.136.195 10.100.102.21 TCP 66 53 → 52793 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
40 0.116702 10.100.102.21 77.109.136.195 TCP 54 52793 → 53 [ACK] Seq=1 Ack=1 Win=29312 Len=0
41 0.116786 10.100.102.21 77.109.136.195 DNS 81 Standard query 0xaf6f DNSKEY owkb.ch
42 0.118761 77.109.136.195 10.100.102.21 DNS 653 Standard query response 0xaf6f DNSKEY owkb.ch DNSKEY DNSKEY DNSKEY
43 0.118781 10.100.102.21 77.109.136.195 TCP 54 52793 → 53 [ACK] Seq=28 Ack=600 Win=30464 Len=0
44 0.119068 10.100.102.21 91.194.196.37 DNS 67 Standard query 0x7420 DNSKEY owkb.ch
45 0.119098 10.100.102.21 77.109.136.195 TCP 54 52793 → 53 [FIN, ACK] Seq=28 Ack=600 Win=30464 Len=0
46 0.120844 77.109.136.195 10.100.102.21 TCP 60 53 → 52793 [ACK] Seq=600 Ack=29 Win=65536 Len=0
47 0.120872 77.109.136.195 10.100.102.21 TCP 60 53 → 52793 [FIN, ACK] Seq=600 Ack=29 Win=65536 Len=0
48 0.120889 10.100.102.21 77.109.136.195 TCP 54 52793 → 53 [ACK] Seq=29 Ack=601 Win=30464 Len=0
49 0.122745 91.194.196.37 10.100.102.21 DNS 491 Standard query response 0x7420 DNSKEY owkb.ch DNSKEY DNSKEY
50 0.122926 10.100.102.21 91.194.196.37 TCP 66 42337 → 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
51 0.126422 91.194.196.37 10.100.102.21 TCP 66 53 → 42337 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
52 0.126445 10.100.102.21 91.194.196.37 TCP 54 42337 → 53 [ACK] Seq=1 Ack=1 Win=29312 Len=0
53 0.126515 10.100.102.21 91.194.196.37 DNS 81 Standard query 0xdc41 DNSKEY owkb.ch
54 0.129737 91.194.196.37 10.100.102.21 DNS 653 Standard query response 0xdc41 DNSKEY owkb.ch DNSKEY DNSKEY DNSKEY
55 0.129762 10.100.102.21 91.194.196.37 TCP 54 42337 → 53 [ACK] Seq=28 Ack=600 Win=30464 Len=0
56 0.130084 10.100.102.21 91.194.196.36 DNS 67 Standard query 0x8478 DNSKEY owkb.ch
57 0.130110 10.100.102.21 91.194.196.37 TCP 54 42337 → 53 [FIN, ACK] Seq=28 Ack=600 Win=30464 Len=0
58 0.133226 91.194.196.37 10.100.102.21 TCP 60 53 → 42337 [ACK] Seq=600 Ack=29 Win=131328 Len=0
59 0.133307 91.194.196.37 10.100.102.21 TCP 60 53 → 42337 [FIN, ACK] Seq=600 Ack=29 Win=131328 Len=0
60 0.133320 10.100.102.21 91.194.196.37 TCP 54 42337 → 53 [ACK] Seq=29 Ack=601 Win=30464 Len=0
61 0.133791 91.194.196.36 10.100.102.21 DNS 491 Standard query response 0x8478 DNSKEY owkb.ch DNSKEY DNSKEY
62 0.133992 10.100.102.21 91.194.196.36 TCP 66 35661 → 53 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
63 0.136092 185.206.180.142 10.100.102.21 TCP 60 53 → 33505 [FIN, ACK] Seq=539 Ack=56 Win=29312 Len=0
64 0.136107 10.100.102.21 185.206.180.142 TCP 54 33505 → 53 [ACK] Seq=56 Ack=540 Win=30336 Len=0
65 0.137485 91.194.196.36 10.100.102.21 TCP 66 53 → 35661 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
66 0.137509 10.100.102.21 91.194.196.36 TCP 54 35661 → 53 [ACK] Seq=1 Ack=1 Win=29312 Len=0
67 0.137596 10.100.102.21 91.194.196.36 DNS 81 Standard query 0x818d DNSKEY owkb.ch
68 0.140906 91.194.196.36 10.100.102.21 DNS 653 Standard query response 0x818d DNSKEY owkb.ch DNSKEY DNSKEY DNSKEY
69 0.140927 10.100.102.21 91.194.196.36 TCP 54 35661 → 53 [ACK] Seq=28 Ack=600 Win=30464 Len=0
70 0.141225 10.100.102.21 185.206.180.142 DNS 90 Standard query 0x2e6b DNSKEY owkb.ch OPT
71 0.141252 10.100.102.21 91.194.196.36 TCP 54 35661 → 53 [FIN, ACK] Seq=28 Ack=600 Win=30464 Len=0
72 0.144281 91.194.196.36 10.100.102.21 TCP 60 53 → 35661 [ACK] Seq=600 Ack=29 Win=131328 Len=0
73 0.144299 91.194.196.36 10.100.102.21 TCP 60 53 → 35661 [FIN, ACK] Seq=600 Ack=29 Win=131328 Len=0
74 0.144313 10.100.102.21 91.194.196.36 TCP 54 35661 → 53 [ACK] Seq=29 Ack=601 Win=30464 Len=0
75 0.167684 185.206.180.142 10.100.102.21 DNS 1112 Standard query response 0x2e6b DNSKEY owkb.ch DNSKEY DNSKEY DNSKEY RRSIG RRSIG OPT
76 0.168504 10.100.102.21 91.194.196.36 DNS 94 Standard query 0xabcf A www.owkb.ch OPT
77 0.172171 91.194.196.36 10.100.102.21 DNS 94 Standard query response 0xabcf Format error A www.owkb.ch OPT
78 0.172415 10.100.102.21 91.194.196.36 DNS 71 Standard query 0xa4d9 A www.owkb.ch
79 0.175976 91.194.196.36 10.100.102.21 DNS 87 Standard query response 0xa4d9 A www.owkb.ch A 45.81.71.30
80 0.176349 10.100.102.21 185.206.180.142 DNS 94 Standard query 0x22ac A www.owkb.ch OPT
81 0.202836 185.206.180.142 10.100.102.21 DNS 265 Standard query response 0x22ac A www.owkb.ch A 45.81.71.30 RRSIG OPT
82 0.203274 10.100.102.21 192.168.236.1 DNS 126 Standard query response 0xb2e0 A www.owkb.ch A 45.81.71.30 OPT