unbound
unbound copied to clipboard
NLnetLabs
SHOULD in section 4.2 of RFC 9460 not implemented
Describe the bug
Section 4.2 of RFC9460 specifies:
Recursive resolvers that are aware of SVCB SHOULD help the client to execute the procedure in Section 3 with minimum overall latency by incorporating additional useful information into the Additional section of the response, and continues with detail.
Such "additional useful information" is missing.
Impact The client application has to perform iterative DNS lookups to assemble the information needed to connect to the desired service.
To reproduce Steps to reproduce the behavior:
-
dig HTTPS alias-three.esni.defo.ie.returns no Additional section (other than the OPT pseudo-section):
; <<>> DiG 9.18.26 <<>> https alias-three.esni.defo.ie.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45636
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;alias-three.esni.defo.ie. IN HTTPS
;; ANSWER SECTION:
alias-three.esni.defo.ie. 3600 IN HTTPS 0 alias-two.esni.defo.ie.
;; Query time: 203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri May 10 11:39:56 IST 2024
;; MSG SIZE rcvd: 91
Expected behavior The Additional section should include the AliasMode HTTPS RR(s) which belong to the alias chain, the ServiceMode HTTPS RR(s) containing the service parameters to be used, and A or AAAA RRs containing the address(es) of the target server, as (for example) is provided by the authoritative name servers for the defo.ie zone:
% dig https alias-three.esni.defo.ie. +norec @vertex.nmugroup.se.
; <<>> DiG 9.18.26 <<>> https alias-three.esni.defo.ie. +norec @vertex.nmugroup.se.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55666
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3487aa418a8d982b01000000663dfad2fba66ffacd31baa1 (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;alias-three.esni.defo.ie. IN HTTPS
;; ANSWER SECTION:
alias-three.esni.defo.ie. 3600 IN HTTPS 0 alias-two.esni.defo.ie.
;; AUTHORITY SECTION:
defo.ie. 3600 IN NS unit.nmugroup.com.
defo.ie. 3600 IN NS vertex.nmugroup.se.
defo.ie. 3600 IN NS ns2.my-own.net.
defo.ie. 3600 IN NS origo.nmugroup.com.
defo.ie. 3600 IN NS ephemera.nmugroup.se.
;; ADDITIONAL SECTION:
cover.defo.ie. 3600 IN AAAA 2a00:c6c0:0:116:5::10
cover.defo.ie. 3600 IN A 213.108.108.101
alias-two.esni.defo.ie. 3600 IN HTTPS 0 alias-one.esni.defo.ie.
alias-one.esni.defo.ie. 3600 IN HTTPS 0 cover.defo.ie.
cover.defo.ie. 1800 IN HTTPS 1 . ipv4hint=213.108.108.101 ech=AED+DQA8OgAgACAoLKCX0qn19m0sQe2qCbbmmTwNOTShWmPt4jImumCMBQAEAAEAAQANY292ZXIuZGVmby5pZQAA ipv6hint=2a00:c6c0:0:116:5::10
;; Query time: 43 msec
;; SERVER: 2a02:752:0:18::18#53(vertex.nmugroup.se.) (UDP)
;; WHEN: Fri May 10 11:45:38 IST 2024
;; MSG SIZE rcvd: 496
2024-05-10 11:45 niall@my-mba ESNI-Project/Vagrant
%
System:
- Unbound version: 1.20.0
- Package manager: Homebrew
- OS: macOS Sonoma 14.4.1 (23E224)
-
unbound -Voutput:
Version 1.20.0
Configure line: --prefix=/usr/local/Cellar/unbound/1.20.0 --sysconfdir=/usr/local/etc --enable-event-api --enable-tfo-client --enable-tfo-server --with-libevent=/usr/local/opt/libevent --with-libnghttp2=/usr/local/opt/libnghttp2 --with-ssl=/usr/local/opt/openssl@3 --with-libexpat=/Library/Developer/CommandLineTools/SDKs/MacOSX14.sdk/usr
Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 3.3.0 9 Apr 2024
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Additional information [This section intentionally left blank]
