CNAME at apex, was Re: Issue running "dig txt rs.dns-oarc.net" on 9.12

Tony Finch dot at dotat.at
Fri Mar 9 15:23:33 UTC 2018 

Cathy Almond <cathya at isc.org> wrote:
>
> [snip]
>
> validating rs.dns-oarc.net/CNAME: checking existence of DS at 'rs.dns-oarc.net'
> validating rs.dns-oarc.net/CNAME: continuing validation would lead to deadlock: aborting validation
> validating rs.dns-oarc.net/CNAME: deadlock found (create_fetch)
>
> The rs.dns-oarc.net zone is broken because it returns a CNAME for
> queries at the apex.
>
> [snip]
>
> Prior to the changes to stop the potential validation loop (which
> probably wasn't going to be a loop in this specific instance, but BIND
> didn't know that), clients using validating BIND to send a
> reply-size-test query would have 'got away with it'
>
> But no longer.
>
> But since the reply-size tester doesn't work any more anyway with modern
> BIND, does this matter?

I just got a problem report from a user who has a few personal domains
with CNAME at apex that used to work (or at least appeared to work) but
no longer do.

I've said that the domains are misconfigured, but since this is a
relatively widespread misconfiguration, I think it's likely to cause
more complaints. Tiresome.

My preferred way to fix this would be for BIND to make use of the NSEC
denial of DS that it received in the referral, so that it doesn't need to
call create_fetch(), and therefore does not trip over the CNAME deadlock.
(If I explicitly `dig DS` for a problem domain, so that the absence of DS
record is cached with a higher level of RFC 2181 trust, resolution
subsequently works.)

Alternatively, maybe the patch below is OK? (Based on Nick @ NNEX's
observation.) My idea is that if we have been chasing a CNAME (so are at
risk of deadlock) but we are looking for a DS (so we will query the
parent) we can go ahead. I tested it briefly and it works around the
breakage for iterative resolution; dunno if it is unsafe.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 8b63c98..92fc6dc 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1101,7 +1101,8 @@ check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	for (parent = val; parent != NULL; parent = parent->parent) {
 		if (parent->event != NULL &&
 		    (parent->event->type == type ||
-		     parent->event->type == dns_rdatatype_cname) &&
+		     (parent->event->type == dns_rdatatype_cname &&
+		      type != dns_rdatatype_ds)) &&
 		    dns_name_equal(parent->event->name, name) &&
 		    /*
 		     * As NSEC3 records are meta data you sometimes

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Humber, Thames, Dover, Wight: South or southeast 4 or 5, occasionally 6 in
Humber and Wight. Slight or moderate. Occasional rain, fog patches developing.
Moderate or good, occasionally very poor.

More information about the bind-users mailing list