Python + DNS : Cannot get RRSIG records: No Answer

I get DNS records from a Python program, using DNS Python

I can get various DNSSEC-related records:

>>> import dns.resolver
>>> myresolver = dns.resolver.Resolver()
>>> myresolver.use_edns(1, 0, 1400)
>>> print myresolver.query('sources.org', 'DNSKEY')
<dns.resolver.Answer object at 0xb78ed78c>
>>> print myresolver.query('ripe.net', 'NSEC')
<dns.resolver.Answer object at 0x8271c0c>

But no RRSIG records:

>>> print myresolver.query('sources.org', 'RRSIG')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 664, in query
    answer = Answer(qname, rdtype, rdclass, response)                        
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 121, in __init__
    raise NoAnswer                                                              

I tried several signed domains like absolight.fr or ripe.net.

Trying with dig, I see that there are indeed RRSIG records.

Checking with tcpdump, I can see that DNS Python sends the correct query and receives correct replies (here, eight records):

16:09:39.342532 IP 192.134.4.69.53381 > 192.134.4.162.53: 22330+ [1au] RRSIG? sources.org. (40)
16:09:39.343229 IP 192.134.4.162.53 > 192.134.4.69.53381: 22330 8/5/6 RRSIG[|domain]

DNS Python 1.6.0 - Python 2.5.2 (r252:60911, Aug 8 2008, 09:22:44) [GCC 4.3.1] on linux2


Asked by: Maddie121 | Posted: 01-10-2021






Answer 1

You probably mean RRSIG ANY (otherwise, the order is wrong, the class needs to be after the type)

>>> print myresolver.query('sources.org', 'RRSIG', 'ANY')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 664, in query
    answer = Answer(qname, rdtype, rdclass, response)
  File "/usr/lib/python2.5/site-packages/dns/resolver.py", line 121, in __init__
    raise NoAnswer
dns.resolver.NoAnswer

Answered by: Ted276 | Posted: 02-11-2021



Answer 2

RRSIG is not a record, it's a hashed digest of a valid DNS Record. You can query a DNSKEY record, set want_dnssec=True and get a DNSKEY Record, and an "RRSIG of a DNSKEY Record".

More generally, RRSIG is just a signature of a valid record (such as a DS Record).

So when you ask the server

myresolver.query('sources.org', 'RRSIG')

It doesn't know what you are asking for. RRSIG in itself has no meaning, you need to specify RRSIG of what?

Answered by: Maria382 | Posted: 02-11-2021



Answer 3

This looks like a probable bug in the Python DNS library, although I don't read Python well enough to find it.

Note that in any case your EDNS0 buffer size parameter is not large enough to handle the RRSIG records for sources.org, so your client and server would have to fail over to TCP/IP.

Answered by: Adelaide104 | Posted: 02-11-2021



Answer 4

You may want to use raise_on_no_answer=False and you will get the correct response:

resolver.query(hostname, dnsrecord, raise_on_no_answer=False)

Answered by: Michael881 | Posted: 02-11-2021



Answer 5

If you try this, what happens?

print myresolver.query('sources.org', 'ANY', 'RRSIG')

Answered by: Edward660 | Posted: 02-11-2021



Similar questions





Still can't find your answer? Check out these communities...



PySlackers | Full Stack Python | NHS Python | Pythonist Cafe | Hacker Earth | Discord Python



top