Created attachment 175397 [details] short test case triggering the warning to syslog I noticed when compiling the mail/exim port with DNSSEC enabled (and with the default local unbound resolving DNS server) I get many syslog messages to /var/log/messages such as Oct 3 22:07:25 hotzenplotz exim: gethostby*.gethostanswer: asked for "www.wittig.name IN A", got type "RRSIG" This message repeats for every DNSSEC enabled lookup. The lookup itself is successful. I traced the problem back to src/lib/libc/net/getaddrinfo.c, around line 2100. When the resolver receives a different record type than it asked for, the warning is logged and the unknown record is ignored. The logging code is in principle inside an #ifdef DEBUG, but it seems the code is compiled with DEBUG set. By default the libc resolver does not set the DNSSEC flag, as, from what I understand, it does not yet know how to handle the response. However, it is possible to set it from the user program (via the _res structure). This is what exim does to enable DNSSEC. The attached sample code is a short extract of the exim code setting these options and performing a lookup that triggers the message logged to syslog. The immediate solution to the problem is of course not to enable the DNSSEC flag in user code as the libc resolver anyway doesn't support it yet. However, as use of DNSSEC becomes more widely spread and other resolvers start to support it, more code will probably enable it by default. And the warning logged by the resolver is confusing as it warns about perfectly correct, normal DNSSEC behavior. The resolver code already contains a list of accepted responses where the response record type can differ from what was requested. This includes the old SIG and KEY records as well as DNAME records (see old bug bin/127591 for an almost identical problem arising from DNAME instead of RRSIG). It would be straight forward to also add RRSIGs and DNSKEYs to the list of exempted responses. Alternatively, the file in question could just be compiled without DEBUG set, which would remove the logging of such warnings. Note that glibc, who's resolver is based on the same original bind code base, on the other hand simply decided to completely drop these messages and remove them from the code (https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b9b026c9c00db1a1b5b4a3caa28162655a04a882).
This hurts me everyday in 13.1: - - - exim[5671] gethostby*.gethostanswer: asked for "some_fqdn IN AAAA", got type "RRSIG" - - - If this is the same problem, why can't it be fixed? There exist a proposal from 2016.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=817f1f3064db25f821032c8fffb131183206bba1 commit 817f1f3064db25f821032c8fffb131183206bba1 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2022-11-07 15:48:11 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2022-11-09 16:41:47 +0000 libc: Don't warn about RRSIG replies. PR: 213178 MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D37303 include/arpa/nameser_compat.h | 18 ++++++++++++++++++ lib/libc/net/getaddrinfo.c | 2 +- lib/libc/net/gethostbydns.c | 5 ++++- 3 files changed, 23 insertions(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=48aa2fa71b2d08bf65278c404325e6df419db49e commit 48aa2fa71b2d08bf65278c404325e6df419db49e Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2022-11-07 15:48:11 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2022-11-14 11:23:32 +0000 libc: Don't warn about RRSIG replies. PR: 213178 MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D37303 (cherry picked from commit 817f1f3064db25f821032c8fffb131183206bba1) include/arpa/nameser_compat.h | 18 ++++++++++++++++++ lib/libc/net/getaddrinfo.c | 2 +- lib/libc/net/gethostbydns.c | 5 ++++- 3 files changed, 23 insertions(+), 2 deletions(-)