Bug 213178

Summary: [libc] resolv "asked for IN A got RRSIG" syslog spamming with DNSSEC bit set
Product: Base System Reporter: alexander
Component: binAssignee: Dag-Erling Smørgrav <des>
Status: Closed FIXED    
Severity: Affects Some People CC: Axel.Rau, des, ler
Priority: Normal Flags: des: mfc-stable13+
des: mfc-stable12-
Version: CURRENT   
Hardware: Any   
OS: Any   
See Also: https://reviews.freebsd.org/D37303
Attachments:
Description Flags
short test case triggering the warning to syslog none

Description alexander 2016-10-03 20:31:14 UTC 
Created attachment 175397 [details]
short test case triggering the warning to syslog

I noticed when compiling the mail/exim port with DNSSEC enabled (and with the default local unbound resolving DNS server) I get many syslog messages to /var/log/messages such as
   Oct  3 22:07:25 hotzenplotz exim: gethostby*.gethostanswer: asked for "www.wittig.name IN A", got type "RRSIG"
This message repeats for every DNSSEC enabled lookup. The lookup itself is successful.

I traced the problem back to src/lib/libc/net/getaddrinfo.c, around line 2100. When the resolver receives a different record type than it asked for, the warning is logged and the unknown record is ignored. The logging code is in principle inside an #ifdef DEBUG, but it seems the code is compiled with DEBUG set.

By default the libc resolver does not set the DNSSEC flag, as, from what I understand, it does not yet know how to handle the response. However, it is possible to set it from the user program (via the _res structure). This is what exim does to enable DNSSEC. The attached sample code is a short extract of the exim code setting these options and performing a lookup that triggers the message logged to syslog.

The immediate solution to the problem is of course not to enable the DNSSEC flag in user code as the libc resolver anyway doesn't support it yet. However, as use of DNSSEC becomes more widely spread and other resolvers start to support it, more code will probably enable it by default. And the warning logged by the resolver is confusing as it warns about perfectly correct, normal DNSSEC behavior.

The resolver code already contains a list of accepted responses where the response record type can differ from what was requested. This includes the old SIG and KEY records as well as DNAME records (see old bug bin/127591 for an almost identical problem arising from DNAME instead of RRSIG). It would be straight forward to also add RRSIGs and DNSKEYs to the list of exempted responses.

Alternatively, the file in question could just be compiled without DEBUG set, which would remove the logging of such warnings.

Note that glibc, who's resolver is based on the same original bind code base, on the other hand simply decided to completely drop these messages and remove them from the code (https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b9b026c9c00db1a1b5b4a3caa28162655a04a882).
Comment 1 Axel.Rau 2022-11-06 12:43:05 UTC 
This hurts me everyday in 13.1:
- - -
exim[5671] gethostby*.gethostanswer: asked for "some_fqdn IN AAAA", got type "RRSIG"
- - -

If this is the same problem, why can't it be fixed?
There exist a proposal from 2016.
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-11-09 16:42:16 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=817f1f3064db25f821032c8fffb131183206bba1

commit 817f1f3064db25f821032c8fffb131183206bba1
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2022-11-07 15:48:11 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2022-11-09 16:41:47 +0000

    libc: Don't warn about RRSIG replies.

    PR:             213178
    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D37303

 include/arpa/nameser_compat.h | 18 ++++++++++++++++++
 lib/libc/net/getaddrinfo.c    |  2 +-
 lib/libc/net/gethostbydns.c   |  5 ++++-
 3 files changed, 23 insertions(+), 2 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-11-14 11:23:48 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=48aa2fa71b2d08bf65278c404325e6df419db49e

commit 48aa2fa71b2d08bf65278c404325e6df419db49e
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2022-11-07 15:48:11 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2022-11-14 11:23:32 +0000

    libc: Don't warn about RRSIG replies.

    PR:             213178
    MFC after:      1 week
    Differential Revision: https://reviews.freebsd.org/D37303

    (cherry picked from commit 817f1f3064db25f821032c8fffb131183206bba1)

 include/arpa/nameser_compat.h | 18 ++++++++++++++++++
 lib/libc/net/getaddrinfo.c    |  2 +-
 lib/libc/net/gethostbydns.c   |  5 ++++-
 3 files changed, 23 insertions(+), 2 deletions(-)