Bug 213178 - [libc] resolv "asked for IN A got RRSIG" syslog spamming with DNSSEC bit set
Summary: [libc] resolv "asked for IN A got RRSIG" syslog spamming with DNSSEC bit set
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.3-STABLE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2016-10-03 20:31 UTC by alexander
Modified: 2017-04-23 18:17 UTC (History)
0 users

See Also:

short test case triggering the warning to syslog (590 bytes, text/plain)
2016-10-03 20:31 UTC, alexander
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description alexander 2016-10-03 20:31:14 UTC
Created attachment 175397 [details]
short test case triggering the warning to syslog

I noticed when compiling the mail/exim port with DNSSEC enabled (and with the default local unbound resolving DNS server) I get many syslog messages to /var/log/messages such as
   Oct  3 22:07:25 hotzenplotz exim: gethostby*.gethostanswer: asked for "www.wittig.name IN A", got type "RRSIG"
This message repeats for every DNSSEC enabled lookup. The lookup itself is successful.

I traced the problem back to src/lib/libc/net/getaddrinfo.c, around line 2100. When the resolver receives a different record type than it asked for, the warning is logged and the unknown record is ignored. The logging code is in principle inside an #ifdef DEBUG, but it seems the code is compiled with DEBUG set.

By default the libc resolver does not set the DNSSEC flag, as, from what I understand, it does not yet know how to handle the response. However, it is possible to set it from the user program (via the _res structure). This is what exim does to enable DNSSEC. The attached sample code is a short extract of the exim code setting these options and performing a lookup that triggers the message logged to syslog.

The immediate solution to the problem is of course not to enable the DNSSEC flag in user code as the libc resolver anyway doesn't support it yet. However, as use of DNSSEC becomes more widely spread and other resolvers start to support it, more code will probably enable it by default. And the warning logged by the resolver is confusing as it warns about perfectly correct, normal DNSSEC behavior.

The resolver code already contains a list of accepted responses where the response record type can differ from what was requested. This includes the old SIG and KEY records as well as DNAME records (see old bug bin/127591 for an almost identical problem arising from DNAME instead of RRSIG). It would be straight forward to also add RRSIGs and DNSKEYs to the list of exempted responses.

Alternatively, the file in question could just be compiled without DEBUG set, which would remove the logging of such warnings.

Note that glibc, who's resolver is based on the same original bind code base, on the other hand simply decided to completely drop these messages and remove them from the code (https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b9b026c9c00db1a1b5b4a3caa28162655a04a882).