BIND returns EDE-18 (Prohibited) although the query was not recursive
Summary
Querying an authoritative BIND-9.18.9 server with a non-recursive query, it returns EDE-18 (Prohibited), because "recursion" is enabled for some IP addresses.
BIND version used
named -V
BIND 9.18.9 (Stable Release) <id:e831507>
running on Linux x86_64 3.10.0-1062.4.3.el7.x86_64 #1 SMP Wed Nov 13 23:58:53 UTC 2019
built by make with '--prefix=/usr/local/bind-9.18.9' '--sysconfdir=/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--disable-doh'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.34.0
linked to libuv version: 1.34.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /chroot/bind/etc/named/named.conf
rndc configuration: /chroot/bind/etc/named/rndc.conf
DNSSEC root key: /chroot/bind/etc/named/bind.keys
nsupdate session key: /chroot/bind/var/run/named/session.key
named PID file: /chroot/bind/var/run/named/named.pid
named lock file: /chroot/bind/var/run/named/named.lock
Steps to reproduce
Running BIND-9.18.9 as an authoritative server with recursion enabled only for the IPv4 and IPv6 loopback-interface:
acl RecurseAllow {
127.0.0.1/32;
::1;
};
options {
...
recursion yes;
allow-recursion { "RecurseAllow"; };
...
};
What is the current bug behavior?
When querying this authoritative server with +norec
for an authoritative domain, then I receive a Extended DNS Error "Prohobited" (Code 18):
$ dig @ns21.arcade.ch txt rc8.ch +nocookie +norec
; <<>> DiG 9.19.8 <<>> @ns21.arcade.ch txt rc8.ch +nocookie +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34443
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;rc8.ch. IN TXT
;; ANSWER SECTION:
rc8.ch. 1800 IN TXT "v=spf1 -all"
;; Query time: 24 msec
;; SERVER: 46.22.21.101#53(ns21.arcade.ch) (UDP)
;; WHEN: Mon Jan 09 13:48:53 CET 2023
;; MSG SIZE rcvd: 65
The debug output for this query looks like this:
09-Jan-2023 13:48:53.195 client: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: UDP request
09-Jan-2023 13:48:53.195 client: debug 5: client @0x7faa3bccdf68 192.168.33.44#38852: using view '_default'
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: request is not signed
09-Jan-2023 13:48:53.195 client: debug 1: client @0x7faa3bccdf68 192.168.33.44#38852: set ede: info-code 18 extra-text (null)
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: recursion not available (allow-recursion did not match)
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): query 'rc8.ch/TXT/IN' approved
09-Jan-2023 13:48:53.195 rate-limit: debug 99: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): rrl=0x7faa5090e800, HAVECOOKIE=0, result=ISC_R_SUCCESS, fname=0x7faa3bc67a80(1), is_zone=1, RECURSIONOK=0, query.rpz_st=(nil)(0), RRL_CHECKED=0
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): reset client
When I completely disable recursion in the options-section, and re-query with the same question, then I got the answer without the EDE:
$ dig @ns21.arcade.ch txt rc8.ch +nocookie +norec
; <<>> DiG 9.19.8 <<>> @ns21.arcade.ch txt rc8.ch +nocookie +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6743
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rc8.ch. IN TXT
;; ANSWER SECTION:
rc8.ch. 1800 IN TXT "v=spf1 -all"
;; Query time: 24 msec
;; SERVER: 46.22.21.101#53(ns21.arcade.ch) (UDP)
;; WHEN: Mon Jan 09 13:48:26 CET 2023
;; MSG SIZE rcvd: 59
The appropriate debug log looks like this:
09-Jan-2023 13:48:26.009 client: debug 3: clientmgr @0x7faa508a7180 attach: 2
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 (no-peer): allocate new client
09-Jan-2023 13:48:26.009 client: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: UDP request
09-Jan-2023 13:48:26.009 client: debug 5: client @0x7faa3bccdf68 192.168.33.44#54609: using view '_default'
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: request is not signed
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: recursion not available (recursion not enabled for view)
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): query 'rc8.ch/TXT/IN' approved
09-Jan-2023 13:48:26.009 rate-limit: debug 99: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): rrl=0x7faa5090fc00, HAVECOOKIE=0, result=ISC_R_SUCCESS, fname=0x7faa3bc67800(1), is_zone=1, RECURSIONOK=0, query.rpz_st=(nil)(0), RRL_CHECKED=0
09-Jan-2023 13:48:26.010 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): reset client
What is the expected correct behavior?
When querying the authoritative server with +norec
, I expect that BIND returns the answer without EDE, because I asked not recursive (although recursion is enabled for some IP addresses, but not used in this case).