[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: extra CNAME resolutions in chain
From: "W.C.A. Wijngaards via Unbound-users" <unbound-users () unbound ! net>
Date: 2017-05-29 11:51:01
Message-ID: 8fdd7660-4bd1-0fc6-c34c-ff5660a892f5 () nlnetlabs ! nl
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hi Philip,
On 29/05/17 07:12, Philip O'Sullivan via Unbound-users wrote:
> Hi,
>
> I'm seeing unbound making extra resolution requests for CNAME records in
> a chain where the domains differ between the record in the question and
> the CNAMEs in the answer. For example a query coming into unbound for a
> host like a.b.c.com <http://a.b.c.com> that gets a reponse from the
> server with CNAME a.b.e.com <http://a.b.e.com>, CNAME, a.d.e.com
> <http://a.d.e.com>, A 1.2.3.4. Instead of returning those immediately
> to the client unbound proceeds to resolve a.b.e.com <http://a.b.e.com>
> and a.c.e.com <http://a.c.e.com>, and then return to the client. From
> the logs, when verbose logging is turned on we see messages like:
>
> info: sanitize: removing extraneous answer RRset: a.b.e.com
> <http://a.b.e.com>. CNAME IN
>
> Our unbound config is fairly simple with a forward-zone for "." pointing
> to our upstream DNS servers. We don't have DNSSEC enabled.
>
> From a quick look at the source I think this is happening in the
> scrubber at
> https://github.com/NLnetLabs/unbound/blob/master/iterator/iter_scrub.c#L663
>
> I was wondering if there was anyway to stop these extra lookups?
There is no way to turn that feature off. The lookups are for defense
against (Kaminsky) cache poisoning scenarios.
On unbound.net there is
http://unbound.net/documentation/patch_announce102.html that describes
this. Also described in (expired draft):
https://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01
Best regards, Wouter
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic