Jamie Landeg-Jones
2024-Jul-03 02:12 UTC
[nsd-users] NSD incorrectly logging DNAME as refused?
I just noticed this with NSD 4.10.0 (and earlier versions - it's not a new regression)) I have nsd set to log refused requests to syslog. After adding a DNAME type into my dns for one sub-zone that is being moved, I noticed that legitimate requests for hosts under that subdomain are working as expected, howerver they are being logged as refused. As a quick replicable test, I just did this to demostrate the issue. Firatlt, add edthis to my dyslexicfish.net domain: nsdtest IN DNAME hello.example.com. Then, update serial, reload, watch it propagate to secondaries etc., then from a machine with no specific acls (i.e. not from one of the primaries or secondaries: | # dig sjsjqju2qu.nsdtest.dyslexicfish.net. | | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net. | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148 | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 1232 | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good) | ;; QUESTION SECTION: | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN A | | ;; ANSWER SECTION: | nsdtest.dyslexicfish.net. 86363 IN DNAME hello.example.com. | sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME sjsjqju2qu.hello.example.com. | | ;; AUTHORITY SECTION: | example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. 2024041842 7200 3600 1209600 3600 | | ;; Query time: 30 msec | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP) | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024 | ;; MSG SIZE rcvd: 213 This produces this via syslog on the nsd serversx: | Jul 3 02:46:43 <daemon.info> catnip nsd[3620]: query sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no acl matches . As can be seen from "dig", the result is valid, and everything works as suspected, I'm just getting rather a lot of those "refused" messages, as the domain gets a lot of traffic! I know I can disable the logging of such messages, but I do want to log then when they are legitimate! (Obviously I first noticed this on a valid DNAME target zone of mine I just used 'hello.example.com' in the above demonstration to show that it's nothing weird going on with my setup - delegating to any domain that the nsd server itself doesn't serve causes the issue) Any ideas? And apologies for any late-night incoherencies in this message! Cheers, Jamie
Hi Jamie, I can reproduce, but only if the target zone of the DNAME (or CNAME which behaves the same) matches a zone with an allow-query option that doesn't match the querier. For example with the following config in nsd.conf: zone: ?? ?name: "." ??? allow-query: 0::/128 NOKEY zone: ?? ?name: "example" ?? ?zonefile: "example" and an example zone that contains `nsdtest.example. CNAME hello.example.com.`, then indeed a query for `nsdtest.example.` gives the correct CNAME answer, but a "info: query nsdtest.example. from 127.0.0.1 refused, no acl matches" message is logged. NSD logs the error trying to add more records while following the CNAME, but the checked target CNAME domain has an acl forbidding this for the querier. Do you have a similar situation? Should an error be logged when CNAME targets match a zone with an allow-query list that doesn't match? -- Willem Op 03-07-2024 om 04:12 schreef Jamie Landeg-Jones via nsd-users:> I just noticed this with NSD 4.10.0 (and earlier versions - it's not a > new regression)) > > I have nsd set to log refused requests to syslog. > > After adding a DNAME type into my dns for one sub-zone that is being moved, > I noticed that legitimate requests for hosts under that subdomain are working > as expected, howerver they are being logged as refused. > > As a quick replicable test, I just did this to demostrate the issue. > > Firatlt, add edthis to my dyslexicfish.net domain: > > nsdtest IN DNAME hello.example.com. > > Then, update serial, reload, watch it propagate to secondaries etc., then > from a machine with no specific acls (i.e. not from one of the primaries > or secondaries: > > | # dig sjsjqju2qu.nsdtest.dyslexicfish.net. > | > | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net. > | ;; global options: +cmd > | ;; Got answer: > | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148 > | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 > | > | ;; OPT PSEUDOSECTION: > | ; EDNS: version: 0, flags:; udp: 1232 > | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good) > | ;; QUESTION SECTION: > | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN A > | > | ;; ANSWER SECTION: > | nsdtest.dyslexicfish.net. 86363 IN DNAME hello.example.com. > | sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME sjsjqju2qu.hello.example.com. > | > | ;; AUTHORITY SECTION: > | example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. 2024041842 7200 3600 1209600 3600 > | > | ;; Query time: 30 msec > | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP) > | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024 > | ;; MSG SIZE rcvd: 213 > > This produces this via syslog on the nsd serversx: > > | Jul 3 02:46:43 <daemon.info> catnip nsd[3620]: query sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no acl matches . > > As can be seen from "dig", the result is valid, and everything works as > suspected, I'm just getting rather a lot of those "refused" messages, as > the domain gets a lot of traffic! > > I know I can disable the logging of such messages, but I do want to log > then when they are legitimate! > > (Obviously I first noticed this on a valid DNAME target zone of mine > I just used 'hello.example.com' in the above demonstration to show that > it's nothing weird going on with my setup - delegating to any domain that > the nsd server itself doesn't serve causes the issue) > > Any ideas? And apologies for any late-night incoherencies in this message! > > Cheers, Jamie > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc Type: application/pgp-keys Size: 7749 bytes Desc: OpenPGP public key URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/2a57341e/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/2a57341e/attachment-0001.bin>