Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not RFC 9462 compliant #1016

Open
BrunoBlanes opened this issue Feb 19, 2024 · 0 comments
Open

Not RFC 9462 compliant #1016

BrunoBlanes opened this issue Feb 19, 2024 · 0 comments

Comments

@BrunoBlanes
Copy link

Unbound does not return the A and AAAA records for the name of the Designated Resolver in the Additional Answers section when responding to queries for resolver.arpa.

To reproduce

Steps to reproduce the behavior:

  1. Add the following to the configuration:

unbound.conf

auth-zone:
        name: "resolver.arpa"
        zonefile: "/etc/unbound/zones/resolver.arpa"

resolver.arpa

$ORIGIN resolver.arpa.
$TTL 86400

; Authoritative name servers for this zone
_dns                                    IN      SVCB    1 example.com. alpn=h2 dohpath=/dns-query{?dns}
_dns                                    IN      SVCB    2 example.com. alpn=dot
  1. Query the respective SVCB records for the special resolver.arpa zone.
  2. Observe the records being returned as expected, however, without the Additional Answers section.

Expected behavior

As per the RFC 9462:

When responding to these special queries for "resolver.arpa", the recursive resolver SHOULD include the A and AAAA records for the name of the Designated Resolver in the Additional Answers section.

Additionally:

If the recursive resolver that receives this query has no Designated Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" zone, to provide a consistent and accurate signal to clients that it does not have a Designated Resolver.

Instead, I get NXDOMAIN as a reply for queries that should not exist.

System:

  • Unbound version: 1.19.1
  • OS: CentOS 9 Stream
  • unbound -V output:
Version 1.19.1

Configure line: --sbindir=/opt/unbound/unbound-1.19.1/bin --disable-sha1 --enable-tfo-client --enable-tfo-server --with-libevent --with-libnghttp2
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Additional information
If this is not a bug, then let it be a feature. I tried the mailing list, but got no answer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BrunoBlanes