QNAME minimisation question
Nick Tait
nick at tait.net.nz
Mon Jun 2 10:01:58 UTC 2025
Hi list.
I've been investigating a failure that I noticed in my DNS logs. I know
the issue is related to QNAME minimisation, but rather than just turning
it off (to make the problem go away), I'm trying understand whether BIND
is doing exactly what it is expected to do?
I can reproduce the issue by clearing the BIND cache, and then running
the following DIG command, to attempt a reverse DNS lookup of
45.90.5.195 (NB I've substituted 2001:db8:: in place of my real IPv6
prefix for these examples for privacy reasons):
$ dig -x 45.90.5.195 @2001:db8::3
; <<>> DiG 9.20.4-3ubuntu1.1-Ubuntu <<>> -x 45.90.5.195 @2001:db8::3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:SERVFAIL, id: 3087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2467e98a489c44ce01000000683d16c87c1c3adbd38053d7 (good)
;; QUESTION SECTION:
;195.5.90.45.in-addr.arpa. IN PTR
;; Query time: 1979 msec
;; SERVER: 2001:db8::3#53(2001:db8::3) (UDP)
;; WHEN: Mon Jun 02 15:13:12 NZST 2025
;; MSG SIZE rcvd: 81
This is what I see in BIND's log file (with "info" severity logging on
the following categories: default, dnssec, lame-servers, queries,
query-errors, resolver, rpz, rpz-passthru, unmatched):
02-Jun-2025 15:49:03.377 general: info: received control channel command 'flush'
02-Jun-2025 15:49:03.379 general: info: flushing caches in all views succeeded
02-Jun-2025 15:49:51.794 queries: info: client @0x72b447862800 2001:db8::2#48843 (195.5.90.45.in-addr.arpa): view uncensored-resolver: query: 195.5.90.45.in-addr.arpa IN PTR +E(0)K (2001:db8::3)
02-Jun-2025 15:49:54.374 query-errors: info: client @0x72b447862800
2001:db8::2#48843 (195.5.90.45.in-addr.arpa): view
uncensored-resolver: query failed (failure) for
195.5.90.45.in-addr.arpa/IN/PTR at query.c:7817
I performed a packet capture while running the test above, and
identified the queries sent as the recursion stepped down the tree. (NB:
I've omitted the in-between queries relating to resolving the IP
addresses of the name servers.)
*Request* *Response* *Comment*
Packet # Query Type Sent to domain Authoritative server IP address
Packet # Result # Answer RRs NSEC start NSEC end
- arpa. NS . localhost ::1 - Success 13
Answered from mirror zone. Not present in packet capture.
2 in-addr.arpa. NS arpa. k.ns.arpa. 2001:7fd::1 3 Success 6
Response confirms zone-cut at in-addr.arpa.
4 45.in-addr.arpa. NS in-addr.arpa. f.in-addr-servers.arpa.
2001:67c:e0::1 5 Success 6
Response confirms zone-cut at 45.in-addr.arpa.
23 90.45.in-addr.arpa. NS 45.in-addr.arpa. u.arin.net.
2001:500:14:6050:ad::1 30 NODATA 0 99.9.45.in-addr.arpa.
0.90.45.in-addr.arpa. No zone cut at 90.45.in-addr.arpa.
63 5.90.45.in-addr.arpa. NS 45.in-addr.arpa. arin.authdns.ripe.net.
2001:67c:e0::10 66 NODATA 0 5.90.45.in-addr.arpa.
50.90.45.in-addr.arpa. No zone cut at 5.90.45.in-addr.arpa.
- 195.5.90.45.in-addr.arpa. PTR 45.in-addr.arpa.
This query is missing!
Based on my understanding of RFC 7816, BIND should have sent the final
PTR query to one of the "45.in-addr.arpa." domain's authoritative name
servers, but it didn't. Is this a bug, or am I missing something?
I'm happy to provide the packet capture for the test above. Please email
me if you would like me to send it to you?
Here is my BIND version info:
$ named -V
BIND 9.20.4-3ubuntu1.1-Ubuntu (Stable Release) <id:>
running on Linux x86_64 6.14.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC Sun Apr 6 15:05:05 UTC 2025
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--with-zonedb=rbtdb' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O3 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/bind9-suFpPF/bind9-9.20.4=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/bind9-suFpPF/bind9-9.20.4=/usr/src/bind9-1:9.20.4-3ubuntu1.1 -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=3'
compiled by GCC 14.2.0
compiled with OpenSSL version: OpenSSL 3.4.1 11 Feb 2025
linked to OpenSSL version: OpenSSL 3.4.1 11 Feb 2025
compiled with libuv version: 1.50.0
linked to libuv version: 1.50.0
compiled with liburcu version: 0.15.1
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.64.0
linked to libnghttp2 version: 1.64.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.18
linked to json-c version: 0.18
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
linked to maxminddb version: 1.12.2
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
geoip-directory: /usr/share/GeoIP
My BIND configuration options look something like this:
options {
directory "/var/cache/bind";
listen-on-v6 {
"any";
};
allow-recursion {
...
};
dnssec-validation auto;
max-cache-size 10485760;
query-source ...;
query-source-v6 ...;
allow-query {
...
};
allow-transfer {
"none";
};
key-directory "/etc/bind/keys";
notify no;
notify-source ...;
notify-source-v6 ...;
parental-source ...;
parental-source-v6 ...;
transfer-source ...;
transfer-source-v6 ...;
};
In particular I haven't specified a value for "qname-minimization", so
according to the documentation it should be using "relaxed":
qname-minimization
Grammar: qname-minimization ( strict | relaxed | disabled | off );
Blocks: options, view
Tags: query
Controls QNAME minimization behavior in the BIND 9 resolver.
When this is set to strict, BIND follows the QNAME minimization algorithm to the letter, as specified in RFC 7816.
Setting this option to relaxed causes BIND to fall back to normal
(non-minimized) query mode when it receives either NXDOMAIN or other
unexpected responses (e.g., SERVFAIL, improper zone cut, REFUSED) to
a minimized query.
In relaxed mode named makes NS queries for <domain> as it walks down
the tree.
disabled disables QNAME minimization completely. off is a synonym for disabled.
The current default is relaxed, but it may be changed to strict in a
future release.
Thanks,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250602/f9d49a3a/attachment-0001.htm>
More information about the bind-users
mailing list