BIND 9.18 caches dnssec-failed.org with validation enabled
Summary
BIND 9.18 caches +cd result
BIND version used
BIND 9.18.0 (Stable Release) <id:>
running on Linux x86_64 5.15.16-100.fc34.x86_64 #1 SMP Thu Jan 20 16:34:27 UTC 2022
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--with-gssapi=yes' '--with-lmdb=yes' '--with-json-c' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.2.1 20220127 (Red Hat 11.2.1-9)
compiled with OpenSSL version: OpenSSL 1.1.1l FIPS 24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l FIPS 24 Aug 2021
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20913
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- have dnssec-verify yes; and trust anchor imported.
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
- dig +cd www.dnssec-failed.org (may require repeats until positive result is obtained)
- dig +nocd www.dnssec-failed.org
What is the current bug behavior?
- result is still NOERROR with address, I expected SERVFAIL again
$ dig @::1 +nocd www.dnssec-failed.org
; <<>> DiG 9.18.0 <<>> @::1 +nocd www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21718
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6c70a9e44a7ffcf701000000622f152d2413f11f68a442db (good)
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 6662 IN A 68.87.109.242
www.dnssec-failed.org. 6662 IN A 69.252.193.191
;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Mar 14 11:13:01 CET 2022
;; MSG SIZE rcvd: 110
What is the expected correct behavior?
# after fresh restart
$ dig @::1 +nocd www.dnssec-failed.org
; <<>> DiG 9.18.0 <<>> @::1 +nocd www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21950
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 16cf9cb36abb75c301000000622f154a1af861880a048f72 (good)
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; Query time: 278 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon Mar 14 11:13:30 CET 2022
;; MSG SIZE rcvd: 78
Relevant configuration files
My machine test config contains a lot of tests. It has slave of root zone for testing, if that is relevant.
acl "virtnet" {
192.168.122.0/24;
};
acl "czechia" {
country"CZ";
};
acl "us" {
country"US";
};
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_debug" {
file "data/named.run";
severity dynamic;
};
channel "default_syslog" {
syslog "daemon";
severity dynamic;
};
};
masters "xfr.dns.icann.org" {
192.0.32.132;
2620:0:2d0:202::132;
192.0.47.132;
2620:0:2830:202::132;
};
options {
bindkeys-file "/etc/named.root.key";
directory "/var/named";
dnstap-output file"/var/named/data/dnstap";
dump-file "/var/named/data/cache_dump.db";
geoip-directory "/usr/share/GeoIP";
listen-on port 8053 {
127.0.0.1/32;
};
listen-on port 8053 {
192.168.122.1/32;
};
listen-on port 53 {
192.168.122.2/32;
};
listen-on-v6 port 53 {
::1/128;
};
managed-keys-directory "/var/named/dynamic";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
secroots-file "/run/named/named.secroots";
session-keyfile "/run/named/session.key";
allow-new-zones yes;
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
disable-empty-zone "10.in-addr.arpa";
disable-empty-zone "168.192.in-addr.arpa";
disable-empty-zone "172.in-addr.arpa";
dnssec-must-be-secure "virtmgr.local" no;
dnssec-must-be-secure "vm" no;
dnssec-validation yes;
dnstap {
auth;
client response;
resolver response;
};
lame-ttl 10;
recursion yes;
stale-cache-enable no;
allow-query {
"localhost";
"virtnet";
};
key-directory "/etc/named/keys";
zone-statistics yes;
};
statistics-channels {
inet 127.0.0.1 port 80 allow {
"localhost";
};
};
view "v6" {
match-clients {
::1/128;
};
trust-anchors {
"test." initial-key 257 3 10 "AwEAAcW9/F0aQSya01izYiwAJfJifR3jmux4fi2l90YpjV+veUsZ9adK KGyHYgaQ3Ra7JGwwBHAOxta5xn3/IasfbWJphNg81OA6OLX+2ve8x06V 2iKXbpA8VUeZi8CAN+Syi6ZbIM+AoRu8aiFe7TZGsvsOyr1qpV2C/GOS SDlnoh/7rl1tYDMeVtYmPutDEVM8StuY3ph88H4ozE6onBwK3iZbbh8o SNDyUxbNJY/W6oJfg13PI/b8Gt8Sr9mA7NLEx9+n7VyvZMUYrDVZOmko TAl2YbEheQ8Ad8GZNS/jsV99hKjXvlW0un6FtkRs4P9mt5HWLvAe8J+9 u/oBcV1ZZXN+J5LuMBM5XkNldCctS+paRPemRmO1k4iF7+vY2ZLfr8Ka r8G7OSkbgu0viMy+y3SCxiq0HPUreydUNKOMh34OmeRRAKMZtNtqXA7z 2iZaZ9feWNrHNld04CAfNDDVbp56qOFAvKSCQd2/QVM4RSZbZQSWuIJj cIXZqjfaj8DtzlvJ9hpGq7VsO5ARku03lsj4+ny1cJi7EmyMtPbCoaS0 k1P5lrqzJYQOM0nYkyBJkuyc6BZVLOas9h/l/n42wBhzer/gKeD0h2QH EfhbBYsDbAeAPRCkIw+cK0hAQwsvrkR4W7164t78OeJ+E8Gc5Hdr1V7x QAzJDuWjKuX5/7RF";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "virt" {
type master;
file "virt-v6.zone";
};
zone "test" {
type master;
file "dynamic/test.db";
update-policy local;
allow-query {
"localhost";
"virtnet";
};
auto-dnssec allow;
};
zone "ipa.test" {
type master;
file "dynamic/ipa.test.db";
update-policy local;
allow-query {
"localhost";
"virtnet";
};
auto-dnssec maintain;
};
zone "2.test" {
type master;
file "2.test.db.signed";
inline-signing yes;
allow-query {
"localhost";
"virtnet";
};
auto-dnssec maintain;
};
zone "3.test" {
type slave;
file "slaves/3.test.db";
masters {
10.0.138.23;
};
};
zone "inazure.test" {
type master;
file "inazure.test.db.signed";
inline-signing yes;
auto-dnssec maintain;
};
zone "azure.test" {
type master;
file "azure.test.db.signed";
inline-signing yes;
auto-dnssec maintain;
};
zone "long.test" {
type master;
file "long.test.db.signed";
inline-signing yes;
auto-dnssec maintain;
};
zone "very-long-01234567890123456789012345678901234567.test" {
type master;
file "very-long-01234567890123456789012345678901234567.test.db.signed";
inline-signing yes;
auto-dnssec maintain;
};
zone "very-long-0123456789012345678901234567890123456789.test" {
type master;
file "very-long-0123456789012345678901234567890123456789.test.db.signed";
inline-signing yes;
auto-dnssec maintain;
};
zone "unsupported.test" IN {
type master;
file "unsupported.test.db.signed";
inline-signing yes;
allow-query {
"localhost";
"virtnet";
};
auto-dnssec maintain;
};
zone "mixed.test" IN {
type master;
file "mixed.test.db.signed";
inline-signing yes;
update-policy local;
allow-query {
"localhost";
"virtnet";
};
auto-dnssec maintain;
};
zone "blackhole.example.net" IN {
type forward;
forward only;
forwarders port 2053 {
127.0.0.1;
};
};
zone "vm" IN {
type forward;
forward only;
forwarders {
192.168.122.1;
};
};
zone "virtmgr.local" {
type forward;
forward only;
forwarders {
192.168.122.1;
};
};
zone "." IN {
type slave;
file "slaves/db.root";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "in-addr.arpa" IN {
type slave;
file "slaves/db.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "arpa" IN {
type slave;
file "slaves/db.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "root-servers.net" IN {
type slave;
file "slaves/db.root-servers.net";
masters {
"xfr.dns.icann.org";
};
masterfile-format raw;
notify no;
};
zone "ipv4.only.arpa" IN {
type slave;
file "slaves/db.ipv4.only.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "ip6.arpa" IN {
type slave;
file "slaves/db.ip6.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "ip6-servers.arpa" IN {
type slave;
file "slaves/db.ip6-servers.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "mcast.net" IN {
type slave;
file "slaves/db.mcast.net";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "224.in-addr.arpa" IN {
type slave;
file "slaves/db.224.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "225.in-addr.arpa" IN {
type slave;
file "slaves/db.225.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "226.in-addr.arpa" IN {
type slave;
file "slaves/db.226.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "227.in-addr.arpa" IN {
type slave;
file "slaves/db.227.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "228.in-addr.arpa" IN {
type slave;
file "slaves/db.228.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "229.in-addr.arpa" IN {
type slave;
file "slaves/db.229.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "230.in-addr.arpa" IN {
type slave;
file "slaves/db.230.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "231.in-addr.arpa" IN {
type slave;
file "slaves/db.231.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "232.in-addr.arpa" IN {
type slave;
file "slaves/db.232.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "233.in-addr.arpa" IN {
type slave;
file "slaves/db.233.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "234.in-addr.arpa" IN {
type slave;
file "slaves/db.234.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "235.in-addr.arpa" IN {
type slave;
file "slaves/db.235.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "236.in-addr.arpa" IN {
type slave;
file "slaves/db.236.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "237.in-addr.arpa" IN {
type slave;
file "slaves/db.237.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "238.in-addr.arpa" IN {
type slave;
file "slaves/db.238.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "239.in-addr.arpa" IN {
type slave;
file "slaves/db.239.in-addr.arpa";
masters {
"xfr.dns.icann.org";
};
notify no;
};
zone "redhat.com" IN {
type forward;
forward first;
forwarders {
10.45.248.15;
10.38.5.26;
};
};
zone "example.com." IN {
type master;
file "dynamic/example.com.zone";
allow-update {
"any";
};
};
zone "cname" {
type master;
file "cname.test";
};
};
view "libvirt" {
match-clients {
"virtnet";
};
trust-anchors {
"test." initial-key 257 3 10 "AwEAAcW9/F0aQSya01izYiwAJfJifR3jmux4fi2l90YpjV+veUsZ9adK KGyHYgaQ3Ra7JGwwBHAOxta5xn3/IasfbWJphNg81OA6OLX+2ve8x06V 2iKXbpA8VUeZi8CAN+Syi6ZbIM+AoRu8aiFe7TZGsvsOyr1qpV2C/GOS SDlnoh/7rl1tYDMeVtYmPutDEVM8StuY3ph88H4ozE6onBwK3iZbbh8o SNDyUxbNJY/W6oJfg13PI/b8Gt8Sr9mA7NLEx9+n7VyvZMUYrDVZOmko TAl2YbEheQ8Ad8GZNS/jsV99hKjXvlW0un6FtkRs4P9mt5HWLvAe8J+9 u/oBcV1ZZXN+J5LuMBM5XkNldCctS+paRPemRmO1k4iF7+vY2ZLfr8Ka r8G7OSkbgu0viMy+y3SCxiq0HPUreydUNKOMh34OmeRRAKMZtNtqXA7z 2iZaZ9feWNrHNld04CAfNDDVbp56qOFAvKSCQd2/QVM4RSZbZQSWuIJj cIXZqjfaj8DtzlvJ9hpGq7VsO5ARku03lsj4+ny1cJi7EmyMtPbCoaS0 k1P5lrqzJYQOM0nYkyBJkuyc6BZVLOas9h/l/n42wBhzer/gKeD0h2QH EfhbBYsDbAeAPRCkIw+cK0hAQwsvrkR4W7164t78OeJ+E8Gc5Hdr1V7x QAzJDuWjKuX5/7RF";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test" {
in-view "v6";
};
zone "ipa.test" {
in-view "v6";
};
zone "2.test" {
in-view "v6";
};
zone "3.test" {
in-view "v6";
};
zone "inazure.test" {
in-view "v6";
};
zone "azure.test" {
in-view "v6";
};
zone "unsupported.test" {
in-view "v6";
};
zone "mixed.test" {
in-view "v6";
};
zone "vm" IN {
type forward;
forward only;
forwarders {
192.168.122.1;
};
};
zone "virtmgr.local" {
type forward;
forward only;
forwarders {
192.168.122.1;
};
};
recursion yes;
};
view "default" {
match-clients {
"any";
};
trust-anchors {
"test." initial-key 257 3 10 "AwEAAcW9/F0aQSya01izYiwAJfJifR3jmux4fi2l90YpjV+veUsZ9adK KGyHYgaQ3Ra7JGwwBHAOxta5xn3/IasfbWJphNg81OA6OLX+2ve8x06V 2iKXbpA8VUeZi8CAN+Syi6ZbIM+AoRu8aiFe7TZGsvsOyr1qpV2C/GOS SDlnoh/7rl1tYDMeVtYmPutDEVM8StuY3ph88H4ozE6onBwK3iZbbh8o SNDyUxbNJY/W6oJfg13PI/b8Gt8Sr9mA7NLEx9+n7VyvZMUYrDVZOmko TAl2YbEheQ8Ad8GZNS/jsV99hKjXvlW0un6FtkRs4P9mt5HWLvAe8J+9 u/oBcV1ZZXN+J5LuMBM5XkNldCctS+paRPemRmO1k4iF7+vY2ZLfr8Ka r8G7OSkbgu0viMy+y3SCxiq0HPUreydUNKOMh34OmeRRAKMZtNtqXA7z 2iZaZ9feWNrHNld04CAfNDDVbp56qOFAvKSCQd2/QVM4RSZbZQSWuIJj cIXZqjfaj8DtzlvJ9hpGq7VsO5ARku03lsj4+ny1cJi7EmyMtPbCoaS0 k1P5lrqzJYQOM0nYkyBJkuyc6BZVLOas9h/l/n42wBhzer/gKeD0h2QH EfhbBYsDbAeAPRCkIw+cK0hAQwsvrkR4W7164t78OeJ+E8Gc5Hdr1V7x QAzJDuWjKuX5/7RF";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "virt" {
type master;
file "virt-default.zone";
};
zone "test" {
in-view "v6";
};
zone "ipa.test" {
in-view "v6";
};
zone "2.test" {
in-view "v6";
};
zone "3.test" {
in-view "v6";
};
zone "inazure.test" {
in-view "v6";
};
zone "azure.test" {
in-view "v6";
};
zone "unsupported.test" {
in-view "v6";
};
zone "mixed.test" {
in-view "v6";
};
zone "virtmgr.local" {
type forward;
forward only;
forwarders {
192.168.122.1;
};
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
server 10.0.100.79/32 {
edns no;
send-cookie no;
};
trust-anchors {
"." initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)