Bug#1092914: knot: Fails to serve dnssec'd zone with a DNAME at the toplevel

Uwe Kleine-König Mon, 13 Jan 2025 03:03:14 -0800

Package: knot
Version: 3.2.6-1
Severity: normal

Hello,


knot fails to load a dnssec'd zone from my primary that has a DNAME RR
for @ and is using NSEC3.

The complete zone looks as follows (AXFR from the primary running
powerdns):

        $ dig xn--kleine-knig-yfb.de AXFR

        ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -p 20054 @::1 
xn--kleine-knig-yfb.de AXFR
        ; (1 server found)
        ;; global options: +cmd
        kleine-könig.de.        86400   IN      SOA     ns2.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736764301 86400 7200 3600000 3600
        kleine-könig.de.        86400   IN      RRSIG   SOA 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
//NsZ+whtdmiwZAcPAK9I5D8gnJmQmhYU03+V89MyP2sUUhoPCqH9wm4 
oZDBIPhTPaafxjzPp0TG9AZs0PXGpg==
        kleine-könig.de.        3600    IN      CDNSKEY 257 3 13 
5x9NvwijkGmX1vZ4Byf2sfvpA6KJ9w/DUw3b/4lnW32c1XkVzdO6QgfR 
0R2ENv8L7EMXbvolD+1nsAqfw3B4lg==
        kleine-könig.de.        3600    IN      RRSIG   CDNSKEY 13 2 3600 
20250123000000 20250102000000 49577 kleine-könig.de. 
STWvA4KLPKOTt5fpKi5r4Ee76xarySRybzlHfxefxnVfTQ9SXmUM/9qK 
58ID3s8BIjHwF/r0We9CLyGT7ofrMA==
        kleine-könig.de.        86400   IN      CAA     0 issue 
"letsencrypt.org"
        kleine-könig.de.        86400   IN      RRSIG   CAA 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
59rCG4fLcDQ90sGRtVuSM4JGYSVp2/HMflG3WtOCu7UQu5ohMWz2vyCu 
Qd/uu8GERuWmk+9lKOS/zUAxSIrvEw==
        em5o7i501gsnnfbclns7875msud9pn8a.kleine-könig.de. 3600  IN NSEC3 1 0 0 
- EM5O7I501GSNNFBCLNS7875MSUD9PN8A A NS SOA MX TXT AAAA DNAME RRSIG DNSKEY 
NSEC3PARAM CDS CDNSKEY SPF CAA
        em5o7i501gsnnfbclns7875msud9pn8a.kleine-könig.de. 3600  IN RRSIG NSEC3 
13 3 3600 20250123000000 20250102000000 49577 kleine-könig.de. 
1cilEvMF14sqvyOY5nXDNO5IqMAEFBW1AUVNpv8G6qQF/lXzg1UZBbdN 
Cvlw0N43pBT7FVN3I3lLCQtHyFkEMA==
        kleine-könig.de.        86400   IN      A       162.55.41.232
        kleine-könig.de.        86400   IN      RRSIG   A 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
qlbQMRX/apwLwwx7PnYK/RkVl2m5bnmEJQkJUJy4Rt3iww+IDuZHpOIA 
VZuybpjmx3q3z6wvtLg6OnqbLCNTtg==
        kleine-könig.de.        86400   IN      MX      30 
mail.kleine-koenig.org.
        kleine-könig.de.        86400   IN      RRSIG   MX 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
E+w/ZOhUwixY0pkQ4TXcBuXXIIw1bqkoF6Zgpi8Z9TGauFJsNxsYvC8R 
JBdZN97kcOA0Ky2S6JFLijt/89OYxA==
        kleine-könig.de.        86400   IN      TXT     
"google-site-verification=Hd8EWs1e-5rP-YmFUyjcAgMSEhHOHrCd9CLSqsgq0J4"
        kleine-könig.de.        86400   IN      TXT     "v=spf1 
+a:algol.kleine-koenig.org ~all"
        kleine-könig.de.        86400   IN      RRSIG   TXT 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
XN9yM1rcSVZAXP0KIzFzZuye1/UKGawB4gD4Ds8ddiohwyulZnZorIpY 
TPc4wrUCQaXP1dce6hS4fHZQbVgXWw==
        kleine-könig.de.        86400   IN      AAAA    2a01:4f8:c010:8611::2
        kleine-könig.de.        86400   IN      RRSIG   AAAA 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
QLeZ4gFi67VUhfJl2ifXTEuxO+9PJFdX0/Zd4SR8To1h2lqPyqHXTGvW 
zCoeXQ3lgioQGCCIA2VoJVLq3FeQJg==
        kleine-könig.de.        3600    IN      NSEC3PARAM 1 0 0 -
        kleine-könig.de.        3600    IN      RRSIG   NSEC3PARAM 13 2 3600 
20250123000000 20250102000000 49577 kleine-könig.de. 
1TQNeTZJq7eUUyct/4AtBPI4yXzt695oM1YeAJDovZH21eGw4RSGl2ve 
CQRQF/BB4PzlGhuF2hm6duWhqrduCA==
        kleine-könig.de.        86400   IN      SPF     "v=spf1 
+a:algol.kleine-koenig.org ~all"
        kleine-könig.de.        86400   IN      RRSIG   SPF 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
ANQlgQ7fpzQfPeTgtHeOTWtYTbUlV0G4u7eDEPXBwLAZCHm+2D2GYVdW 
W9gKFAQHjoW0jZOoUo9b1xsXqFdTDg==
        kleine-könig.de.        86400   IN      NS      ns-global.kjsl.com.
        kleine-könig.de.        86400   IN      NS      ns1.kleine-budde.de.
        kleine-könig.de.        86400   IN      NS      ns2.kleine-koenig.org.
        kleine-könig.de.        86400   IN      RRSIG   NS 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
JmxLEAbz1hSVx5/wu2h5QEo05OtU42Zq9JbFyndgVAFMp1F90F1EfMlB 
8vqywQH0VWnExSNmNKzPA07xxpAW4Q==
        kleine-könig.de.        86400   IN      DNAME   kleine-koenig.org.
        kleine-könig.de.        86400   IN      RRSIG   DNAME 13 2 86400 
20250123000000 20250102000000 49577 kleine-könig.de. 
nSgCrbsCMfQrZDyv9RUchBgMwLavKZ+bV5nocIqIqusqnqknrFqNKDRo 
jJ+PJM5ePs5Ivouf7QH6oAGlxXGBQQ==
        kleine-könig.de.        3600    IN      DNSKEY  257 3 13 
5x9NvwijkGmX1vZ4Byf2sfvpA6KJ9w/DUw3b/4lnW32c1XkVzdO6QgfR 
0R2ENv8L7EMXbvolD+1nsAqfw3B4lg==
        kleine-könig.de.        3600    IN      RRSIG   DNSKEY 13 2 3600 
20250123000000 20250102000000 49577 kleine-könig.de. 
emvbjbGiKcybBBCVLFFktgSZpA1k//4HtgG/ROrIUqk0fBPXrD3F6HIf 
R6TCzyP5ihTLbNPpi+yfhA1uykk5bw==
        kleine-könig.de.        3600    IN      CDS     49577 13 2 
F9A24BB8594D631316BC975D9842A9B5FE0471F635F6C699D7D2FB83 4D4A523A
        kleine-könig.de.        3600    IN      RRSIG   CDS 13 2 3600 
20250123000000 20250102000000 49577 kleine-könig.de. 
bMv+cK0FLt/UJ4ZqnftgxqBAAsR/WCuqkxKBL+hLPD+EWva7HbQiDmVE 
a26JOIfN7ZWeZkABb4e9VoQCME0YVw==
        kleine-könig.de.        86400   IN      SOA     ns2.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736764301 86400 7200 3600000 3600
        ;; Query time: 55 msec
        ;; SERVER: ::1#20054(::1) (TCP)
        ;; WHEN: Mon Jan 13 11:32:31 CET 2025
        ;; XFR size: 32 records (messages 3, bytes 2666)

and knot logs:

        Jan 13 11:31:59 algol knotd[2793373]: error: [xn--kleine-knig-yfb.de.] 
check, node xn--kleine-knig-yfb.de., child record exists under DNAME
        Jan 13 11:31:59 algol knotd[2793373]: info: [xn--kleine-knig-yfb.de.] 
refresh, address fdb0:5279:7365::3@20054, failed (semantic check)
        Jan 13 11:31:59 algol knotd[2793373]: error: [xn--kleine-knig-yfb.de.] 
refresh, failed (no usable master), next retry at 2025-01-13T13:31:59+0100
        Jan 13 11:31:59 algol knotd[2793373]: error: [xn--kleine-knig-yfb.de.] 
zone event 'refresh' failed (no usable master)

When dropping the DNAME RR, the zone loads fine. It also works fine when
using NSEC instead of NSEC3. (The latter is my current workaround.)

knot=3.4.3-1 behaves in the same way.

In my understanding a child record under DNAME is forbidden except for
NSEC3.

Best regards
Uwe

-- System Information:
Debian Release: 12.9
  APT prefers stable-security
  APT policy: (700, 'stable-security'), (700, 'stable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-21-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages knot depends on:
ii  adduser              3.134
ii  init-system-helpers  1.65.2
ii  libc6                2.36-9+deb12u9
ii  libcap-ng0           0.8.3-1+b3
ii  libdnssec9           3.2.6-1
ii  libedit2             3.1-20221030-2
ii  libgnutls30          3.7.9-2+deb12u3
ii  libknot13            3.2.6-1
ii  liblmdb0             0.9.24-1
ii  libsystemd0          252.33-1~deb12u1
ii  liburcu8             0.13.2-1
ii  libzscanner4         3.2.6-1

knot recommends no packages.

Versions of packages knot suggests:
ii  systemd  252.33-1~deb12u1

-- Configuration Files:
/etc/knot/knot.conf [Errno 13] Permission denied: '/etc/knot/knot.conf'

-- no debconf information

Bug#1092914: knot: Fails to serve dnssec'd zone with a DNAME at the toplevel

Reply via email to