Skip to content

SERVFAIL response to TKEY query

Summary

(Summarize the bug encountered concisely.)

BIND version used

9.16.42 (deb11u1) 9.18.16 (deb12u1~bpo11+1)

Steps to reproduce

The example PCAP is attached.

What is the current bug behavior?

The TKEY query for domain which is not configured in the authoritative only DNS server results in SERVFAIL response and log entry is: 9.18: client @0x7fd9410d0368 XX.X.XXX.XX#59386 (2752-ms-7.986X-5052cb3.a4e0250c-2acc-11ee-4794-005056987d00): query failed (permission denied) for 2752-ms-7.986X-5052cb3.a4e0250c-2acc-11ee-4794-005056987d00/IN/TKEY at query.c:12326

9.16: client @0x7fX13c24Xba0 XX.X.XXX.XX#51660 (2752-ms-7.1359-4fdedX.a4e0250c-2acX-11ee-4794-005056987d0X): query failed (permission denied) for 2752-ms-7.1359-4fdedX.a4e0250c-2acX-11ee-4794-005056987d0X/IN/TKEY at query.c:11891

What is the expected correct behavior?

A REFUSED,FORMERR,NOTIMP response, but not a SERVFAIL.

Relevant configuration files

acl "trusted" {
	127.0.0.1/32;
	192.0.2.65/32;
};
acl "probes" {
	192.0.2.75/32;
	212.224.66.61/32;
	192.0.2.90/32;
};
acl "transfer-trusted" {
	127.0.0.1/32;
	192.0.2.65/32;
	192.0.2.8/32;
};
logging {
	channel "stats_log" {
		null ;
	};
	channel "security_log" {
		syslog "local1";
		severity notice;
	};
	channel "query-errors-log" {
		file "/var/log/dns/query-errors.log" versions 2 size 102400;
		severity debug 1;
	};
	channel "rrl_log" {
		syslog "local2";
		severity notice;
	};
	channel "audit_log" {
		syslog "local1";
		severity info;
	};
	category "queries" {
		"stats_log";
	};
	category "security" {
		"security_log";
	};
	category "query-errors" {
		"query-errors-log";
	};
	category "rate-limit" {
		"rrl_log";
	};
	category "default" {
		"audit_log";
	};
	category "general" {
		"audit_log";
	};
	category "config" {
		"audit_log";
	};
	category "resolver" {
		"audit_log";
	};
	category "xfer-in" {
		"audit_log";
	};
	category "xfer-out" {
		"audit_log";
	};
	category "notify" {
		"audit_log";
	};
	category "client" {
		"audit_log";
	};
	category "network" {
		"audit_log";
	};
	category "update" {
		"audit_log";
	};
	category "lame-servers" {
		"audit_log";
	};
};
options {
	blackhole {
		10.0.0.0/8;
		172.16.0.0/12;
		192.168.0.0/16;
	};
	directory "/var/cache/bind";
	hostname none;
	interface-interval 0;
	listen-on  {
		192.0.2.65/32;
		192.0.2.60/32;
		192.0.2.61/32;
	};
	listen-on-v6  {
		"any";
	};
	serial-query-rate 20;
	statistics-file "/var/cache/bind/named.stats";
	version none;
	auth-nxdomain no;
	dnssec-validation no;
	rate-limit {
		errors-per-second 40;
		ipv4-prefix-length 32;
		ipv6-prefix-length 64;
		max-table-size 30000;
		responses-per-second 40;
		slip 2;
		window 60;
	};
	recursion no;
	allow-query {
		"trusted";
	};
	allow-transfer  {
		"transfer-trusted";
	};
	also-notify {
		192.0.2.8;
	};
	notify explicit;
	notify-source 192.0.2.60;
	request-ixfr no;
	transfer-source 192.0.2.65;
	zone-statistics no;
};
zone "X" {
....

tkey-servfail.pcap

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information