views:

713

answers:

3

I get DNS records from a Python program, using DNS Python

I can get various DNSSEC-related records:

>>> import dns.resolver
>>> myresolver = dns.resolver.Resolver()
>>> myresolver.use_edns(1, 0, 1400)
>>> print myresolver.query('sources.org', 'DNSKEY')
<dns.resolver.Answer object at 0xb78ed78c>
>>> print myresolver.query('ripe.net', 'NSEC')
<dns.resolver.Answer object at 0x8271c0c>

But no RRSIG records:

>>> print myresolver.query('sources.org', 'RRSIG')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 664, in query
    answer = Answer(qname, rdtype, rdclass, response)                        
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 121, in __init__
    raise NoAnswer

I tried several signed domains like absolight.fr or ripe.net.

Trying with dig, I see that there are indeed RRSIG records.

Checking with tcpdump, I can see that DNS Python sends the correct query and receives correct replies (here, eight records):

16:09:39.342532 IP 192.134.4.69.53381 > 192.134.4.162.53: 22330+ [1au] RRSIG? sources.org. (40)
16:09:39.343229 IP 192.134.4.162.53 > 192.134.4.69.53381: 22330 8/5/6 RRSIG[|domain]

DNS Python 1.6.0 - Python 2.5.2 (r252:60911, Aug 8 2008, 09:22:44) [GCC 4.3.1] on linux2

A: 

If you try this, what happens?

print myresolver.query('sources.org', 'ANY', 'RRSIG')

Cetra
+1  A: 

You probably mean RRSIG ANY (otherwise, the order is wrong, the class needs to be after the type)

>>> print myresolver.query('sources.org', 'RRSIG', 'ANY')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 664, in query
    answer = Answer(qname, rdtype, rdclass, response)
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 121, in __init__
    raise NoAnswer
dns.resolver.NoAnswer
bortzmeyer
A: 

This looks like a probable bug in the Python DNS library, although I don't read Python well enough to find it.

Note that in any case your EDNS0 buffer size parameter is not large enough to handle the RRSIG records for sources.org, so your client and server would have to fail over to TCP/IP.

Alnitak
Tested also with an EDNS buffer size of 4096, same result.
bortzmeyer