[Bug 213178] resolv "asked for IN A got RRSIG" syslog spamming with DNSSEC bit set

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Oct 3 20:31:14 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213178

            Bug ID: 213178
           Summary: resolv "asked for IN A got RRSIG" syslog spamming with
                    DNSSEC bit set
           Product: Base System
           Version: 10.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: alexander at wittig.name

Created attachment 175397
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=175397&action=edit
short test case triggering the warning to syslog

I noticed when compiling the mail/exim port with DNSSEC enabled (and with the
default local unbound resolving DNS server) I get many syslog messages to
/var/log/messages such as
   Oct  3 22:07:25 hotzenplotz exim: gethostby*.gethostanswer: asked for
"www.wittig.name IN A", got type "RRSIG"
This message repeats for every DNSSEC enabled lookup. The lookup itself is
successful.

I traced the problem back to src/lib/libc/net/getaddrinfo.c, around line 2100.
When the resolver receives a different record type than it asked for, the
warning is logged and the unknown record is ignored. The logging code is in
principle inside an #ifdef DEBUG, but it seems the code is compiled with DEBUG
set.

By default the libc resolver does not set the DNSSEC flag, as, from what I
understand, it does not yet know how to handle the response. However, it is
possible to set it from the user program (via the _res structure). This is what
exim does to enable DNSSEC. The attached sample code is a short extract of the
exim code setting these options and performing a lookup that triggers the
message logged to syslog.

The immediate solution to the problem is of course not to enable the DNSSEC
flag in user code as the libc resolver anyway doesn't support it yet. However,
as use of DNSSEC becomes more widely spread and other resolvers start to
support it, more code will probably enable it by default. And the warning
logged by the resolver is confusing as it warns about perfectly correct, normal
DNSSEC behavior.

The resolver code already contains a list of accepted responses where the
response record type can differ from what was requested. This includes the old
SIG and KEY records as well as DNAME records (see old bug bin/127591 for an
almost identical problem arising from DNAME instead of RRSIG). It would be
straight forward to also add RRSIGs and DNSKEYs to the list of exempted
responses.

Alternatively, the file in question could just be compiled without DEBUG set,
which would remove the logging of such warnings.

Note that glibc, who's resolver is based on the same original bind code base,
on the other hand simply decided to completely drop these messages and remove
them from the code
(https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b9b026c9c00db1a1b5b4a3caa28162655a04a882).

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list