Qname minimisation is disabled on authoritative answers
Hi, I found that qname minimisation gets disabled (in layer/iterate.c:643) when an authoritative answer is received with status NOERROR, as it does not treat this as a referral.
This means that in zones where the parent is also authoritative for the child (because the NS set for parent and child is the same, or overlaps), qname minimisation is disabled.
Unfortunately, this affects entire countries:
- .co.uk (same name servers as .uk)
- .co.nz (same name servers as .nz)
- .co.ke (same name servers as .ke)
Example:
[ 0][plan] plan 'super.secret.host.name.co.uk.' type 'A'
[16339][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[16339][zcut] found cut: . (return codes: DS -2, DNSKEY -2)
[16339][resl] => querying: '2001:500:1::53' score: 10 zone cut: '.' qname: 'uk.' qtype: 'NS' proto: 'udp'
[16339][resl] => querying: '198.97.190.53' score: 10 zone cut: '.' qname: 'uk.' qtype: 'NS' proto: 'udp'
[16339][iter] <= loaded 13 glue addresses
[16339][iter] <= referral response, follow
[16339][resl] <= server: '2001:500:1::53' rtt: >= 290 ms
[16339][resl] <= server: '198.97.190.53' rtt: 90 ms
[56102][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[56102][resl] => querying: '2401:fd80:404::1' score: 10 zone cut: 'uk.' qname: 'CO.Uk.' qtype: 'NS' proto: 'udp'
[56102][resl] => querying: '43.230.48.1' score: 10 zone cut: 'uk.' qname: 'CO.Uk.' qtype: 'NS' proto: 'udp'
[56102][iter] <= rcode: NOERROR
[56102][iter] <= found cut, retrying with non-minimized name
[56102][resl] <= server: '2401:fd80:404::1' rtt: >= 208 ms
[56102][resl] <= server: '43.230.48.1' rtt: 8 ms
[28449][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[28449][resl] => querying: '43.230.48.1' score: 11 zone cut: 'uk.' qname: 'SupER.SEcrET.HoST.naMe.co.UK.' qtype: 'A' proto: 'udp'
[28449][iter] <= referral response, follow
[28449][resl] <= server: '43.230.48.1' rtt: 10 ms
[60788][iter] 'super.secret.host.name.co.uk.' type 'A' id was assigned, parent id 0
[60788][plan] plan 'dns1.namemagic.com.' type 'AAAA'
[13623][iter] 'dns1.namemagic.com.' type 'AAAA' id was assigned, parent id 60788
[13623][zcut] found cut: . (return codes: DS -2, DNSKEY -2)
[13623][resl] => querying: '2001:500:12::d0d' score: 10 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[13623][resl] => querying: '192.112.36.4' score: 10 zone cut: '.' qname: 'Com.' qtype: 'NS' proto: 'udp'
[13623][iter] <= loaded 26 glue addresses
[13623][iter] <= referral response, follow
Note that:
[56102][iter] <= found cut, retrying with non-minimized name
now sends:
querying: '43.230.48.1' score: 11 zone cut: 'uk.' qname: 'SupER.SEcrET.HoST.naMe.co.UK.' qtype: 'A' proto: 'udp'
the full hostname (SupER.SEcrET.HoST.naMe.co.UK) was sent to 43.230.48.1
$ dig +short -x 43.230.48.1
dns4.nic.uk
This is effectively disabling qname minimisation for whole countries, and sending the full hostnames to the TLD registry.
Here is an example zone configuration, although you can find other countries with this setup:
$ kdig NS uk @k.root-servers.net
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37077
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 8; ADDITIONAL: 13
;; QUESTION SECTION:
;; uk. IN NS
;; AUTHORITY SECTION:
uk. 172800 IN NS dns2.nic.uk.
uk. 172800 IN NS dns1.nic.uk.
uk. 172800 IN NS dns3.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS dns4.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
;; ADDITIONAL SECTION:
nsa.nic.uk. 172800 IN AAAA 2001:502:ad09::3
dns1.nic.uk. 172800 IN AAAA 2a01:618:400::1
dns2.nic.uk. 172800 IN AAAA 2401:fd80:400::1
dns3.nic.uk. 172800 IN AAAA 2a01:618:404::1
dns4.nic.uk. 172800 IN AAAA 2401:fd80:404::1
nsa.nic.uk. 172800 IN A 156.154.100.3
nsb.nic.uk. 172800 IN A 156.154.101.3
nsc.nic.uk. 172800 IN A 156.154.102.3
nsd.nic.uk. 172800 IN A 156.154.103.3
dns1.nic.uk. 172800 IN A 213.248.216.1
dns2.nic.uk. 172800 IN A 103.49.80.1
dns3.nic.uk. 172800 IN A 213.248.220.1
dns4.nic.uk. 172800 IN A 43.230.48.1
;; Received 440 B
;; Time 2018-04-06 16:07:44 CEST
;; From 2001:7fd::1@53(UDP) in 3.1 ms
and
$ kdig NS co.uk @nsa.nic.uk.
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 31233
;; Flags: qr aa rd; QUERY: 1; ANSWER: 8; AUTHORITY: 0; ADDITIONAL: 13
;; QUESTION SECTION:
;; co.uk. IN NS
;; ANSWER SECTION:
co.uk. 172800 IN NS nsc.nic.uk.
co.uk. 172800 IN NS nsd.nic.uk.
co.uk. 172800 IN NS dns4.nic.uk.
co.uk. 172800 IN NS dns2.nic.uk.
co.uk. 172800 IN NS dns1.nic.uk.
co.uk. 172800 IN NS dns3.nic.uk.
co.uk. 172800 IN NS nsa.nic.uk.
co.uk. 172800 IN NS nsb.nic.uk.
;; ADDITIONAL SECTION:
nsa.nic.uk. 172800 IN AAAA 2001:502:ad09::3
dns1.nic.uk. 172800 IN AAAA 2a01:618:400::1
dns2.nic.uk. 172800 IN AAAA 2401:fd80:400::1
dns3.nic.uk. 172800 IN AAAA 2a01:618:404::1
dns4.nic.uk. 172800 IN AAAA 2401:fd80:404::1
nsa.nic.uk. 172800 IN A 156.154.100.3
nsb.nic.uk. 172800 IN A 156.154.101.3
nsc.nic.uk. 172800 IN A 156.154.102.3
nsd.nic.uk. 172800 IN A 156.154.103.3
dns1.nic.uk. 172800 IN A 213.248.216.1
dns2.nic.uk. 172800 IN A 103.49.80.1
dns3.nic.uk. 172800 IN A 213.248.220.1
dns4.nic.uk. 172800 IN A 43.230.48.1
;; Received 443 B
;; Time 2018-04-06 16:08:17 CEST
;; From 2001:502:ad09::3@53(UDP) in 15.9 ms
Note that the .uk servers answer authoritatively for .co.uk.
If you need further information, just let me know.
Kind Regards, Colin