[Opendnssec-user] New BIND: EDNS incompatibility with 1.4.x?

Havard Eidnes he at uninett.no
Wed May 29 13:47:39 UTC 2019 

Hi,

I recently upgraded our downstream name server of our OpenDNSSEC
installation to BIND version 9.14.2, up from version 9.10.x-Py.
With that upgrade, it looks like BIND and "dig" is no longer
successfully talking to our OpenDNSSEC 1.4.x installation:

sns:~> dig @ods-host -y hmac-sha256:keyname:key some-zone-served-by-ods soa +norec 
;; Warning: Message parser reports malformed message packet.
;; Couldn't verify signature: expected a TSIG or SIG(0)

; <<>> DiG 9.14.2 <<>> @ods-host -y hmac-sha256 some-zone-served-by-ods soa +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 45391
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'
;; WARNING: Message has 117 extra bytes at end

;; Query time: 2 msec
;; SERVER: 158.38.3.18#53(158.38.3.18)
;; WHEN: Wed May 29 14:24:30 CEST 2019
;; MSG SIZE  rcvd: 165
;; WARNING -- Some TSIG could not be validated

sns:~> 

Supplying +noedns as an extra argument fixes the problem.

OpenDNSSEC logs:

May 29 14:26:36 tilfeldigvis ods-signerd: [socket] incoming udp message
May 29 14:26:36 tilfeldigvis ods-signerd: [tsig] parse: not TSIG or not ANY
May 29 14:26:36 tilfeldigvis ods-signerd: [tsig] parse: not TSIG or not ANY
May 29 14:26:36 tilfeldigvis ods-signerd: [query] too many additional rrs
May 29 14:26:36 tilfeldigvis ods-signerd: [query] formerr
May 29 14:26:36 tilfeldigvis ods-signerd: [socket] query processed qstate=0
May 29 14:26:36 tilfeldigvis ods-signerd: [query] add edns opt ok

Hrm...

Looking at the query in wireshark reveals that it's including an
OPT record for the root, including a DNS cookie, and the TSIG
record for the transaction.

The code spitting out the "too many additional rrs" comes from
query_find_tsig() in signer/src/wire/query.c, and I wonder if the
edns_rr_parse() function didn't manage to parse the EDNS record
correctly, but I didn't manage to catch the debug log message
from that function even if I cranked the verbosity to 10.

To get it to work again I configured BIND to not use edns towards
our OpenDNSSEC installation via a "server" option clause.

Regards,

- Håvard

More information about the Opendnssec-user mailing list