26 Úno
2025
26 Úno
'25
23:49
I am testing IXFR for servers I did not install nor have easy access
to. version.server. says it is 3.2.6. I know there are IXFR changes
since then per the NEWS file and from git log. I don't see same
behavior on my different version different systems but they are also
configured differently.
The knot.conf zones are not configured with "zonefile-load: difference"
and the response effectively has the entire zone as if was AXFR and not
the changes. If I pass the IXFR SOA SERIAL to latest it has no changes
(answer has has the SOA only with same serial).
I used dnspython to output the response from doing IXFR queries (IXFR
question with SOA authoritative set with the serial in the query). I
noticed the output abruptly stops when "dig" doesn't stop.
So I used tcpdump many times to compare knot, named, and my other knot.
I found an odd behavior in this knot 3.2.6 response which dig ignores
and my dnspython fails.
After the expect record it has
1) OPT record with the requestors pay load size (class 1232) and edns rcode
and flags (all zeros ttl), then 00 rdlength and 00 rdata field.
2) then 28 bytes I don't understand such as:
40 11be dc80 0000 0101 fa00 0000 01
or
40 20be dc80 0000 0102 0300 0000 01
or
40 0fe1 6a81 0000 0102 0500 0000 00
or
12 8de1 6a81 0000 0100 9200 0000 00
3) then an IXFR record
following other labels ...
0363 6f6d 00 three characters "com" and end of domain
00 fb IXFR record type
00 01 INternet class
and then ends there, with NO ttl, rdlength, nor rdata.
4) followed by next label length, label ... etc with rrtype, class, ttl,
rdlength, rdata and so on.
This odd OPT, bytes I don't know, partial/broken IXFR record, may be
repeated a few times. I assume these were interspersed where IXFR's SOA
records should be.
I couldn't find an RFC that suggested using interspersed OPT nor IXFR
records. I find it odd that OPT record is in my ANSWER section.
I find it odd that the IXFR record is incomplete. And I don't know what
the other bytes are in-between.
This recognizable to anyone?
The IXFR works fine as seen with dig or when I use named as my
secondary but I assume the named is ignoring the junk parts too.
27 Úno
27 Úno
7:04
Hi Jeremy,
just after a quick read, couldn't it be related to
https://github.com/rthalley/dnspython/issues/1150 and
https://github.com/rthalley/dnspython/pull/1151 ?
If you confirm that it isn't, I will give a more careful read.
Thank you,
Libor
On 26. 02. 25 23:49, Jeremy C. Reed wrote:
I am testing IXFR for servers I did not install nor
have easy access
to. version.server. says it is 3.2.6. I know there are IXFR changes
since then per the NEWS file and from git log. I don't see same
behavior on my different version different systems but they are also
configured differently.
The knot.conf zones are not configured with "zonefile-load: difference"
and the response effectively has the entire zone as if was AXFR and not
the changes. If I pass the IXFR SOA SERIAL to latest it has no changes
(answer has has the SOA only with same serial).
I used dnspython to output the response from doing IXFR queries (IXFR
question with SOA authoritative set with the serial in the query). I
noticed the output abruptly stops when "dig" doesn't stop.
So I used tcpdump many times to compare knot, named, and my other knot.
I found an odd behavior in this knot 3.2.6 response which dig ignores
and my dnspython fails.
After the expect record it has
1) OPT record with the requestors pay load size (class 1232) and edns rcode
and flags (all zeros ttl), then 00 rdlength and 00 rdata field.
2) then 28 bytes I don't understand such as:
40 11be dc80 0000 0101 fa00 0000 01
or
40 20be dc80 0000 0102 0300 0000 01
or
40 0fe1 6a81 0000 0102 0500 0000 00
or
12 8de1 6a81 0000 0100 9200 0000 00
3) then an IXFR record
following other labels ...
0363 6f6d 00 three characters "com" and end of domain
00 fb IXFR record type
00 01 INternet class
and then ends there, with NO ttl, rdlength, nor rdata.
4) followed by next label length, label ... etc with rrtype, class, ttl,
rdlength, rdata and so on.
This odd OPT, bytes I don't know, partial/broken IXFR record, may be
repeated a few times. I assume these were interspersed where IXFR's SOA
records should be.
I couldn't find an RFC that suggested using interspersed OPT nor IXFR
records. I find it odd that OPT record is in my ANSWER section.
I find it odd that the IXFR record is incomplete. And I don't know what
the other bytes are in-between.
This recognizable to anyone?
The IXFR works fine as seen with dig or when I use named as my
secondary but I assume the named is ignoring the junk parts too.
--
20:29
On Thu, 27 Feb 2025, Libor Peltan wrote:
just after a quick read, couldn't it be related to
https://github.com/rthalley/dnspython/issues/1150 and
https://github.com/rthalley/dnspython/pull/1151 ?
Thanks for this. I am not using the same dnspython features, but this
did prompt me to look further.
I now see I was confused and share some more notes below:
On 26. 02. 25 23:49, Jeremy C. Reed wrote:
> 1) OPT record with the requestors pay load size (class 1232) and edns rcode
> and flags (all zeros ttl), then 00 rdlength and 00 rdata field.
>
> 2) then 28 bytes I don't understand such as:
Ahhh I now realize the knot was sending multiple DNS responses in the
same packet.
The OPT record above was in the additional section and then:
> 40 11be dc80 0000 0101 fa00 0000 01
40 11 == new response starts and indicates TCP 16401 bytes
then begins the header again:
be dc == txid 48860
80 00 == flags 1000000000000000 QR set and all rest is unset
00 01 == query count 1
01 fa == answer count 506
00 00 == auth section count zero
00 01 == addition section count 1 (the OPT record)
> 3) then an IXFR record
because that is the question again
So I had interspersed responses for the AXFR.
So thanks for suggesting I look at dnspython.
Does anyone know what RFC clearly explains about multiple DNS messages
in a single response?
And where is the knot code that divides up long responses into separate
DNS messages?
Again I saw this in the same TCP packets. And from multiple tcpdumps
from BIND named I never saw this behavior. So I am curious.
I will now look into my dnspython to see why it doesn't continue with
the next DNS message (starting with the TCP count, DNS header, question
section.) I'd like to know what RFC is clear about this behavior.
122
days inactive
124
days old
3 comments
2 participants
participants (2)
-
Jeremy C. Reed -
Libor Peltan