TTL issue with resolver's cached and expired results for qtype ANY queries
When the resolver retrieves cached rdataset
s from a database node in lib/ns/query.c:query_respond_any()
for a qtype ANY query, and some of them are expired, those expired RRs are included in the answer with big (UNIX timestamp big) TTLs. Here's how to reproduce the issue.
Run a resolver locally with the following configuration:
options {
directory ".";
pid-file "named.pid";
listen-on-v6 { none; };
listen-on port 9053 { 127.0.0.1; };
dnssec-validation auto;
recursion yes;
allow-recursion { 127.0.0.1; };
};
Query for github.com ANY:
$ dig @127.0.0.1 -p9053 github.com ANY
; <<>> DiG 9.18.7 <<>> @127.0.0.1 -p9053 github.com ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42497
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3e7b2b8f73eb454a01000000634fe23fe9aa5ebb8af2d349 (good)
;; QUESTION SECTION:
;github.com. IN ANY
;; ANSWER SECTION:
github.com. 3600 IN CAA 0 issue "globalsign.com"
github.com. 3600 IN CAA 0 issuewild "digicert.com"
github.com. 3600 IN CAA 0 issue "digicert.com"
github.com. 3600 IN TXT "adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b"
github.com. 3600 IN TXT "google-site-verification=UTM-3akMgubp6tQtgEuAkYNYLyYAvpTnnSrDMWoDR3o"
github.com. 3600 IN TXT "MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805"
github.com. 3600 IN TXT "apple-domain-verification=RyQhdzTl6Z6x8ZP4"
github.com. 3600 IN TXT "MS=ms58704441"
github.com. 3600 IN TXT "MS=ms44452932"
github.com. 3600 IN TXT "docusign=087098e3-3d46-47b7-9b4e-8a23028154cd"
github.com. 3600 IN TXT "atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8"
github.com. 3600 IN TXT "v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1" "66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ip4:62.253.227.114 ~all"
github.com. 3600 IN TXT "stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f"
github.com. 3600 IN MX 10 alt4.aspmx.l.google.com.
github.com. 3600 IN MX 1 aspmx.l.google.com.
github.com. 3600 IN MX 5 alt1.aspmx.l.google.com.
github.com. 3600 IN MX 5 alt2.aspmx.l.google.com.
github.com. 3600 IN MX 10 alt3.aspmx.l.google.com.
github.com. 900 IN SOA ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
github.com. 60 IN A 140.82.114.3
github.com. 900 IN NS ns-520.awsdns-01.net.
github.com. 900 IN NS ns-421.awsdns-52.com.
github.com. 900 IN NS dns4.p08.nsone.net.
github.com. 900 IN NS ns-1707.awsdns-21.co.uk.
github.com. 900 IN NS dns1.p08.nsone.net.
github.com. 900 IN NS ns-1283.awsdns-32.org.
github.com. 900 IN NS dns3.p08.nsone.net.
github.com. 900 IN NS dns2.p08.nsone.net.
;; ADDITIONAL SECTION:
ns-421.awsdns-52.com. 172800 IN A 205.251.193.165
;; Query time: 63 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1) (TCP)
;; WHEN: Wed Oct 19 11:40:47 UTC 2022
;; MSG SIZE rcvd: 1670
As you can see, the A record has a TTL value of 60. Wait 60 seconds for it to expire, then repeat the query:
$ dig @127.0.0.1 -p9053 github.com ANY
; <<>> DiG 9.18.7 <<>> @127.0.0.1 -p9053 github.com ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27528
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: fdb7a33b7c5d8e0601000000634fe28a0d3f8db7e69dc8f7 (good)
;; QUESTION SECTION:
;github.com. IN ANY
;; ANSWER SECTION:
github.com. 3525 IN CAA 0 issue "digicert.com"
github.com. 3525 IN CAA 0 issuewild "digicert.com"
github.com. 3525 IN CAA 0 issue "globalsign.com"
github.com. 3525 IN TXT "adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b"
github.com. 3525 IN TXT "atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8"
github.com. 3525 IN TXT "v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1" "66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ip4:62.253.227.114 ~all"
github.com. 3525 IN TXT "MS=ms44452932"
github.com. 3525 IN TXT "google-site-verification=UTM-3akMgubp6tQtgEuAkYNYLyYAvpTnnSrDMWoDR3o"
github.com. 3525 IN TXT "MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805"
github.com. 3525 IN TXT "apple-domain-verification=RyQhdzTl6Z6x8ZP4"
github.com. 3525 IN TXT "MS=ms58704441"
github.com. 3525 IN TXT "stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f"
github.com. 3525 IN TXT "docusign=087098e3-3d46-47b7-9b4e-8a23028154cd"
github.com. 3525 IN MX 1 aspmx.l.google.com.
github.com. 3525 IN MX 10 alt4.aspmx.l.google.com.
github.com. 3525 IN MX 10 alt3.aspmx.l.google.com.
github.com. 3525 IN MX 5 alt1.aspmx.l.google.com.
github.com. 3525 IN MX 5 alt2.aspmx.l.google.com.
github.com. 825 IN SOA ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
github.com. 1666179707 IN A 140.82.114.3
github.com. 825 IN NS ns-1283.awsdns-32.org.
github.com. 825 IN NS dns1.p08.nsone.net.
github.com. 825 IN NS dns2.p08.nsone.net.
github.com. 825 IN NS dns3.p08.nsone.net.
github.com. 825 IN NS dns4.p08.nsone.net.
github.com. 825 IN NS ns-421.awsdns-52.com.
github.com. 825 IN NS ns-520.awsdns-01.net.
github.com. 825 IN NS ns-1707.awsdns-21.co.uk.
;; ADDITIONAL SECTION:
ns-421.awsdns-52.com. 172725 IN A 205.251.193.165
;; Query time: 0 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1) (TCP)
;; WHEN: Wed Oct 19 11:42:02 UTC 2022
;; MSG SIZE rcvd: 1670
As you can see, now the A record has a TTL value of 1666179707.