DNSSEC failure on insecure subzone with cold cache - knot-resolver-users

16 Říj 2021

Whilst setting up Knot Resolver (version 5.4.1 on Rocky 8), it fails to
resolve 213-133-203-34.newtel.in-addr.itconsult.net with a cold cache, but
succeeds if the cache has been specifically warmed.  With the cold cache
SERVFAIL is returned and it logs:-

...
 Oct 16 18:40:52 dt05 kresd[36140]: [dnssec] validation
failure: 213-133-203-34.newtel.in-addr.itconsult.net. PTR 
The zone cut is between itconsult.net & newtel.in-addr.itconsult.net.
Also whilst itconsult.net is DNSSEC signed, newtel.in-addr.itconsult.net is
not.  Thus, in-addr.itconsult.net is an empty non-terminal.

If one asks for NS for newtel.in-addr.itconsult.net, thereafter resolution
of the PTR then succeeds:-

...
 [root@dt05 ~]# dig @dt05 -p 533 -t ptr
213-133-203-34.newtel.in-addr.itconsult.net

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ptr
213-133-203-34.newtel.in-addr.itconsult.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39692
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;213-133-203-34.newtel.in-addr.itconsult.net. IN        PTR

;; Query time: 6 msec
;; SERVER: 193.201.42.59#533(193.201.42.59)
;; WHEN: Sat Oct 16 18:40:52 BST 2021
;; MSG SIZE  rcvd: 72

[root@dt05 ~]# dig @dt05 -p 533 -t ns newtel.in-addr.itconsult.net

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ns
newtel.in-addr.itconsult.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2636
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;newtel.in-addr.itconsult.net.  IN      NS

;; ANSWER SECTION:
newtel.in-addr.itconsult.net. 86400 IN  NS      c.itconsult-dns.je.
newtel.in-addr.itconsult.net. 86400 IN  NS      d.itconsult-dns.co.uk.
newtel.in-addr.itconsult.net. 86400 IN  NS      e.itconsult-dns.biz.
newtel.in-addr.itconsult.net. 86400 IN  NS      a.itconsult-dns.net.
newtel.in-addr.itconsult.net. 86400 IN  NS      b.itconsult-dns.org.

;; Query time: 2 msec
;; SERVER: 193.201.42.59#533(193.201.42.59)
;; WHEN: Sat Oct 16 18:41:05 BST 2021
;; MSG SIZE  rcvd: 223

[root@dt05 ~]# dig @dt05 -p 533 -t ptr 213-133-203-34.newtel.in-addr.itconsult.net

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> @dt05 -p 533 -t ptr
213-133-203-34.newtel.in-addr.itconsult.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8992
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;213-133-203-34.newtel.in-addr.itconsult.net. IN        PTR

;; ANSWER SECTION:
213-133-203-34.newtel.in-addr.itconsult.net. 43200 IN PTR eth0-70.qr-r01a.itconsult.net.

;; Query time: 1 msec
;; SERVER: 193.201.42.59#533(193.201.42.59)
;; WHEN: Sat Oct 16 18:41:08 BST 2021
;; MSG SIZE  rcvd: 102 
My suspicion (being new to Knot Resolver) is that this somehow relates to
QNAME minimisation.

DNSviz is not reporting any problems:-

...

https://dnsviz.net/d/213-133-203-34.newtel.in-addr.itconsult.net/dnssec/ 
Is this a bug, or expected behaviour with a slightly odd setup?

Best wishes,
Matthew