Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return code for synthesized CNAME records (from wildcards and DNAMEs) #747

Closed
SivaKesava1 opened this issue Sep 27, 2023 · 5 comments
Closed

Return code for synthesized CNAME records (from wildcards and DNAMEs) #747

SivaKesava1 opened this issue Sep 27, 2023 · 5 comments

Comments

@SivaKesava1
Copy link

Hi,

This is related to if 'A CNAME B' (even for a synthesized CNAME) exists in a zone, but B (related to the same zone) does not exist, then the return code should be NXDOMAIN. RFC 6604 mentions that

When chains are followed the RCODE in the ultimate DNS response MUST BE set based on the final query cycle leading to that
response.

Consider the following zone file.
www. 500 SOA ns1.outside.edu. root.campus.edu. 3 604800 86400 2419200 604800
www. 500 NS ns1.outside.com.
foo.www. 500 DNAME example.fnni.*.www.

For the query <example.bank.foo.www., NS>, the Technitium server returns the following response:

          "opcode QUERY",
          "rcode NOERROR",
          "flags QR AA RA",
          ";QUESTION",
          "example.bank.foo.www. IN NS",
          ";ANSWER",
          "foo.www. 500 IN DNAME example.fnni.*.www.",
          "example.bank.foo.www. 500 IN CNAME example.bank.example.fnni.*.www.",
          ";AUTHORITY",
          "www. 500 IN SOA ns1.outside.edu. root.campus.edu. 3 604800 86400 2419200 604800",
          ";ADDITIONAL"

What you expected to happen: The expected response is the same as above except that the rcode should be NXDOMAIN. This is using the test case 23 from the FerretDataset.
@ShreyasZare
Copy link
Member

Thanks for the feedback. Will get this fixed soon.

@ShreyasZare
Copy link
Member

Thanks again for the feedback. I tried this on the latest release (v11.4.1) and could not reproduce it. I am seeing correct NXDOMAIN response (see screenshots below).

Below is the test zone:
image

This is the response I get with the built-in DNS Client:

{
  "Metadata": {
    "NameServer": "server1 (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "186 bytes",
    "RoundTripTime": "24.25 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "NxDomain",
    "Version": 0,
    "Flags": "None",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": true,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": false,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NxDomain",
  "QDCOUNT": 1,
  "ANCOUNT": 2,
  "NSCOUNT": 1,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "example.bank.foo.www",
      "Type": "NS",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "foo.www",
      "Type": "DNAME",
      "Class": "IN",
      "TTL": "500 (8 mins 20 sec)",
      "RDLENGTH": "20 bytes",
      "RDATA": {
        "Domain": "example.fnni.*.www"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "example.bank.foo.www",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "500 (8 mins 20 sec)",
      "RDLENGTH": "30 bytes",
      "RDATA": {
        "Domain": "example.bank.example.fnni.*.www"
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Authority": [
    {
      "Name": "www",
      "Type": "SOA",
      "Class": "IN",
      "TTL": "500 (8 mins 20 sec)",
      "RDLENGTH": "51 bytes",
      "RDATA": {
        "PrimaryNameServer": "ns1.outside.edu",
        "ResponsiblePerson": "root@campus.edu",
        "Serial": 5,
        "Refresh": 900,
        "Retry": 300,
        "Expire": 604800,
        "Minimum": 900
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

Can you confirm this again on your setup and that if you are running the latest release?

@SivaKesava1
Copy link
Author

I forgot to add another record that was present in the original test case 23 when I copied it over into the bug report. I think that affects as it involves wildcards. I am not using the UI client. I am running the DnsServer in a container on a remote machine.
Here are the details. Please let me know if you need any additional info.

{
  "displayName": "Administrator",
  "username": "admin",
  "token": "36333e221d591435e484672322d0a1b4cd8a6019f8d92408d07b62fbe25b2b95",
  "info": {
    "version": "11.4.1",
    "uptimestamp": "2023-09-28T17:44:17.9557199Z",
    "dnsServerDomain": "e8de0a8edfb2",
    "defaultRecordTtl": 3600,
    "permissions": {
     ....
    }
  },
  "status": "ok"
}

{
  "response": {
    "zone": {
      "name": "www",
      "type": "Primary",
      "internal": false,
      "dnssecStatus": "Unsigned",
      "notifyFailed": false,
      "notifyFailedFor": [],
      "disabled": false
    },
    "records": [
      {
        "name": "www",
        "type": "NS",
        "ttl": 500,
        "disabled": false,
        "rData": {
          "nameServer": "ns1.outside.edu"
        },
        "dnssecStatus": "Unknown",
        "lastUsedOn": "0001-01-01T00:00:00"
      },
      {
        "name": "www",
        "type": "SOA",
        "ttl": 500,
        "disabled": false,
        "rData": {
          "primaryNameServer": "ns1.outside.edu",
          "responsiblePerson": "root@campus.edu",
          "serial": 10,
          "refresh": 604800,
          "retry": 86400,
          "expire": 2419200,
          "minimum": 604800,
          "useSerialDateScheme": false
        },
        "dnssecStatus": "Unknown",
        "lastUsedOn": "2023-09-28T17:50:38.3494543Z"
      },
      {
        "name": "*.www",
        "type": "A",
        "ttl": 500,
        "disabled": false,
        "rData": {
          "ipAddress": "1.1.1.1"
        },
        "dnssecStatus": "Unknown",
        "lastUsedOn": "0001-01-01T00:00:00"
      },
      {
        "name": "foo.www",
        "type": "DNAME",
        "ttl": 500,
        "disabled": false,
        "rData": {
          "dname": "example.fnni.*.www"
        },
        "dnssecStatus": "Unknown",
        "lastUsedOn": "2023-09-28T17:50:38.3460811Z"
      }
    ]
  },
  "status": "ok"
}

image

@ShreyasZare
Copy link
Member

I forgot to add another record that was present in the original test case 23 when I copied it over into the bug report. I think that affects as it involves wildcards.

Ohk ok. Will test it again on my setup again.

I am not using the UI client. I am running the DnsServer in a container on a remote machine.

The UI is available on the same HTTP API URL itself. Just try it on any web browser.

@ShreyasZare
Copy link
Member

Thanks again for the report. Technitium DNS Server v11.5.2 is now available that fixes this issue. Do update and let me know your feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShreyasZare @SivaKesava1