CD bit response is cached and served later

[pemensik]

What happened:

• If CD bit is set in query, it disables validation at remote server

What you expected to happen:

• CD queries may pass, but the same answer must not be served to queries without CD bit set

How to reproduce it (as minimally and precisely as possible):

• (re)start coredns
• dig @localhost -p 3053 +cd dnssec-failed.org
• sleep 3
• dig @localhost -p 3053 +nocd dnssec-failed.org

; <<>> DiG 9.18.16 <<>> @localhost -p 3053 +nocd dnssec-failed.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38206
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7d7b4ddf7c182cc7 (echoed)
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; ANSWER SECTION:
dnssec-failed.org.	295	IN	A	96.99.227.255

;; Query time: 0 msec
;; SERVER: ::1#3053(localhost) (UDP)
;; WHEN: Sat Jul 01 12:01:39 CEST 2023
;; MSG SIZE  rcvd: 91

• TTL shows it were cached, but CD bit is not included this time
• It allowed reaching bogus DNSSEC record without CD bit, which should not have let us. forwarder is doing DNSSEC validation.

Anything else we need to know?:

• RFC reference: https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.2
• RFC allows caching, but if that is done, the cache has to be separate. Similar to current DO bit separate caching would work. More at https://www.rfc-editor.org/rfc/rfc4035.html#section-4.7

Environment:

• the version of CoreDNS: current master, commit 6e1263d
• Corefile:

.:3053 {
  cache
  forward . 9.9.9.9
  log
}

• logs, if applicable:

.:3053
CoreDNS-1.10.1
linux/amd64, go1.20.5, 6e1263d3
[INFO] [::1]:40163 - 34127 "A IN dnssec-failed.org. udp 58 false 1232" NOERROR qr,rd,ra,cd 68 0.300471525s
[INFO] [::1]:54207 - 38206 "A IN dnssec-failed.org. udp 58 false 1232" NOERROR qr,aa,rd,ra 68 0.000077828s

• OS (e.g: cat /etc/os-release): Fedora 38
• Others:

[pemensik]

I think some DNS resolvers choose to not cache queries with CD bit set at all, but unbound-1.17.1-2.fc38.x86_64 has properly working separate caches for example.

[gcs278]

I have opened #6354 which introduces cache separation for queries with the CD bit set. The RFC speaks to the approach for managing a BAD cache, suggesting to me that separating the cache is a reasonable way to approach this.

Please feel free to review and comment.

[gcs278]

#6354 has merged and should resolve this issue.

[cebarks]

For documentation and tracking's sake, Red Hat has assigned CVE-2024-0874 to track this issue.