Re: [exim] DNS problems with sending via multiple smarthosts

Top Page

Reply to this message
Author: Viktor Dukhovni
To: exim-users
Subject: Re: [exim] DNS problems with sending via multiple smarthosts
On Fri, Jul 19, 2019 at 09:15:26AM +0300, Evgeniy Berdnikov via Exim-users wrote:

> > Might there be a dnssec-related difference?
> Definitely NO, because this difference is in client's initial packets.

Actually, the "tcpdump" documentation is misleading. In the attached
PCAP file (single outbound query), "tcpdump" reports "[1au]", but the
query has no authority records, rather it has an EDNS(0) OPT record:

tcpdump output:

    02:57:17.063675 IP (tos 0x0, ttl 64, id 37926, offset 0, flags [none], proto UDP (17), length 76) > 45584+% [1au] NS? (48)

tshark output:

    Domain Name System (query)
    Transaction ID: 0xb210
    Flags: 0x0110 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries type NS, class IN
        [Name Length: 19]
        [Label Count: 2]
        Type: NS (authoritative Name Server) (2)
        Class: IN (0x0001)
    Additional records
        <Root>: type OPT
        Name: <Root>
        Type: OPT (41)
        UDP payload size: 8192
        Higher bits in extended RCODE: 0x00
        EDNS0 version: 0
        Z: 0x8000
            1... .... .... .... = DO bit: Accepts DNSSEC security RRs
            .000 0000 0000 0000 = Reserved: 0x0000
        Data length: 0

The OPT record is needed to set the "DO" bit, and to convey the
EDNS buffer size. Some router on your network has broken DNS, and
is generating fake NXDomain responses for DNSSEC-enabled queries.

FWIW, Exim does not actually "need" to set the DO bit, setting the
AD bit in the request would suffice, and would not require an OPT
record, but libresolv does not have "RES_AD" option, rather it only
has RES_DNSSEC, which then also elicits the AD bit.

If there were a simple way to get the stub resolver to set only
the AD bit, Exim could use that, and you'd not run into this
particular obstacle, but the fault is wither whatever device
is filtering your DNS queries. It is b0rked, and it would
be good to find a way to get it to stop doing that.