MoinQ:

DNS/実装/KnotDNSresolver/githubについて、ここに記述してください。

https://github.com/CZ-NIC/knot-resolver


lib/validate: scrubbed extra rrs in NS were checked

the validator module should ignore any data that will be scrubbed, that includes non-authoritative data outside current bailiwick. previously, validator attempted to ignore these records only for answer section and had a special case for NS records.

cache: non-authoritative NS records are always unchecked and must be treated as insecure

affected: www.iana.org trying to provide delegation information for CNAME target, which is moot with CNAME target explicit-fetch policy unless the the resolver already knows DNSKEY with which is could verify the records


これか。 ns.icann.org が余計な返事をする。-- ToshinoriMaeno 2016-02-11 10:14:44

$ dig www.iana.org @ns.icann.org.

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> www.iana.org @ns.icann.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33433
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iana.org.                  IN      A

;; ANSWER SECTION:
www.iana.org.           3600    IN      CNAME   ianawww.vip.icann.org.

;; AUTHORITY SECTION:
vip.icann.org.          3600    IN      NS      gtm1.dc.icann.org.
vip.icann.org.          3600    IN      NS      gtm1.lax.icann.org.

;; ADDITIONAL SECTION:
gtm1.dc.icann.org.      3600    IN      A       192.0.47.252
gtm1.lax.icann.org.     3600    IN      A       192.0.32.252
gtm1.dc.icann.org.      3600    IN      AAAA    2620:0:2830:296::252
gtm1.lax.icann.org.     3600    IN      AAAA    2620:0:2d0:296::252

;; Query time: 175 msec
;; SERVER: 199.4.138.53#53(199.4.138.53)
;; WHEN: Thu Feb 11 19:12:12 JST 2016
;; MSG SIZE  rcvd: 206

こっちに訊くと上に記述のような返事はないが。

$ dig www.iana.org @a.iana-servers.net.

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> www.iana.org @a.iana-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17725
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iana.org.                  IN      A

;; ANSWER SECTION:
www.iana.org.           3600    IN      CNAME   ianawww.vip.icann.org.

;; Query time: 71 msec
;; SERVER: 199.43.132.53#53(199.43.132.53)
;; WHEN: Thu Feb 11 19:10:25 JST 2016
;; MSG SIZE  rcvd: 73

Unboundの出力はこんな感じだが。

$ dig www.iana.org

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> www.iana.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45104
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;www.iana.org.                  IN      A

;; ANSWER SECTION:
www.iana.org.           3600    IN      CNAME   ianawww.vip.icann.org.
ianawww.vip.icann.org.  120     IN      A       192.0.32.8

;; Query time: 745 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Thu Feb 11 19:07:57 JST 2016
;; MSG SIZE  rcvd: 89