Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In v0.33.0 dnstap can no longer parse DNS records with DNSSEC/RRSIG RRs #18854

Closed
james-stevens opened this issue Oct 16, 2023 · 8 comments · Fixed by #18878
Closed

In v0.33.0 dnstap can no longer parse DNS records with DNSSEC/RRSIG RRs #18854

james-stevens opened this issue Oct 16, 2023 · 8 comments · Fixed by #18878
Assignees
@neuronull
Labels
domain: parsing Anything related to parsing within Vector meta: confirmed A bug that has been reproduced or confirmed. source: dnstap Anything `dnstap` source related type: bug A code related bug.
Milestone
Vector v0.33.1

Comments

@james-stevens
Copy link

A note for the community

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

In v0.33.0 dnstap can no longer succesfully parse DNS records with DNSSEC/RRSIG records and fails with a WARN (see below)

The exact same DNSSEC/RRSIG records could be successfully parsed by v0.32.1

The same issue happens on RHEL9 and Alpine v3.18 - Bug appears in dnstap records sent from either dnsdist (tested on both RHEL9 & Alpine) or unbound (only tested on RHEL9)

2023-10-16T16:33:30.581181Z  WARN source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::dnstap: Recoverable error occurred while parsing dnstap data. error=Encountered error : Unsupported rdata DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: RSASHA256, num_labels: 2, original_ttl: 300, sig_expiration: 1699991362, sig_inception: 1696965506, key_tag: 58609, signer_name: Name("nominet.uk."), sig: [137, 173, 161, 216, 84, 83, 187, 115, 69, 140, 106, 89, 11, 152, 114, 41, 33, 113, 162, 142, 12, 105, 131, 106, 73, 39, 191, 180, 244, 2, 222, 226, 204, 195, 186, 53, 31, 63, 213, 201, 9, 57, 18, 86, 118, 40, 58, 77, 168, 89, 21, 36, 180, 143, 208, 188, 58, 166, 144, 0, 117, 130, 93, 247, 54, 159, 127, 152, 132, 66, 188, 87, 123, 25, 184, 66, 226, 184, 212, 249, 116, 119, 21, 130, 253, 115, 105, 186, 109, 70, 139, 219, 4, 136, 38, 103, 161, 39, 213, 183, 18, 255, 183, 215, 255, 85, 79, 64, 8, 76, 151, 135, 34, 233, 178, 8, 132, 60, 233, 16, 140, 136, 32, 73, 37, 122, 51, 62, 216, 159, 142, 223, 182, 216, 81, 31, 170, 11, 159, 225, 31, 222, 156, 21, 110, 112, 211, 161, 227, 208, 253, 36, 169, 146, 40, 6, 231, 159, 145, 163, 166, 148, 77, 152, 150, 220, 158, 173, 73, 10, 50, 59, 196, 5, 118, 227, 60, 74, 123, 200, 105, 241, 41, 235, 171, 254, 110, 165, 240, 133, 24, 46, 202, 212, 14, 94, 207, 83, 57, 221, 37, 195, 102, 62, 111, 112, 133, 43, 157, 90, 163, 74, 3, 192, 11, 2, 137, 78, 239, 225, 65, 217, 179, 148, 24, 144, 39, 165, 241, 105, 122, 102, 251, 47, 127, 31, 151, 242, 16, 201, 89, 214, 28, 225, 94, 185, 243, 137, 183, 160, 9, 24, 51, 50, 65, 68] }))) stage="processing" error_type="parser_failed" internal_log_rate_limit=true

Configuration

$ cat /etc/vector/vector.toml
data_dir = "/opt/vector/data"
api.enabled=true
healthchecks.require_healthy=true

[sources.dnsdist]
type="dnstap"
socket_path="/run/dnstap.sock"
socket_file_mode=0o777

[sinks.files]
inputs = ["dnsdist"]
type="file"
healthcheck.enabled=true
path="/opt/vector/data/dnstap_%s.log"
framing.method="newline_delimited"
encoding.codec="json"
encoding.metric_tag_values="full"



### Version

vector 0.33.0 (x86_64-unknown-linux-musl 89605fb 2023-09-27 14:18:24.180809939)

### Debug Output

```text
2023-10-16T16:43:50.370795Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::utilization: utilization=0.000038792498122036976
2023-10-16T16:43:51.370801Z TRACE vector: Beep.
2023-10-16T16:43:52.370793Z TRACE vector: Beep.
2023-10-16T16:43:53.220833Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::bytes_received: Bytes received. byte_size=104 protocol=protobuf
2023-10-16T16:43:53.221015Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::socket: Events received. count=1 byte_size=759 mode=unix
2023-10-16T16:43:53.221058Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::bytes_received: Bytes received. byte_size=431 protocol=protobuf
2023-10-16T16:43:53.221172Z  WARN source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::dnstap: Recoverable error occurred while parsing dnstap data. error=Encountered error : Unsupported rdata DNSSEC(RRSIG(RRSIG(SIG { type_covered: A, algorithm: RSASHA256, num_labels: 2, original_ttl: 300, sig_expiration: 1699991362, sig_inception: 1696965506, key_tag: 58609, signer_name: Name("nominet.uk."), sig: [137, 173, 161, 216, 84, 83, 187, 115, 69, 140, 106, 89, 11, 152, 114, 41, 33, 113, 162, 142, 12, 105, 131, 106, 73, 39, 191, 180, 244, 2, 222, 226, 204, 195, 186, 53, 31, 63, 213, 201, 9, 57, 18, 86, 118, 40, 58, 77, 168, 89, 21, 36, 180, 143, 208, 188, 58, 166, 144, 0, 117, 130, 93, 247, 54, 159, 127, 152, 132, 66, 188, 87, 123, 25, 184, 66, 226, 184, 212, 249, 116, 119, 21, 130, 253, 115, 105, 186, 109, 70, 139, 219, 4, 136, 38, 103, 161, 39, 213, 183, 18, 255, 183, 215, 255, 85, 79, 64, 8, 76, 151, 135, 34, 233, 178, 8, 132, 60, 233, 16, 140, 136, 32, 73, 37, 122, 51, 62, 216, 159, 142, 223, 182, 216, 81, 31, 170, 11, 159, 225, 31, 222, 156, 21, 110, 112, 211, 161, 227, 208, 253, 36, 169, 146, 40, 6, 231, 159, 145, 163, 166, 148, 77, 152, 150, 220, 158, 173, 73, 10, 50, 59, 196, 5, 118, 227, 60, 74, 123, 200, 105, 241, 41, 235, 171, 254, 110, 165, 240, 133, 24, 46, 202, 212, 14, 94, 207, 83, 57, 221, 37, 195, 102, 62, 111, 112, 133, 43, 157, 90, 163, 74, 3, 192, 11, 2, 137, 78, 239, 225, 65, 217, 179, 148, 24, 144, 39, 165, 241, 105, 122, 102, 251, 47, 127, 31, 151, 242, 16, 201, 89, 214, 28, 225, 94, 185, 243, 137, 183, 160, 9, 24, 51, 50, 65, 68] }))) stage="processing" error_type="parser_failed" internal_log_rate_limit=true
2023-10-16T16:43:53.221237Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::socket: Events received. count=1 byte_size=2967 mode=unix
2023-10-16T16:43:53.221276Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_buffers::topology::channel::limited_queue: Sent item.
2023-10-16T16:43:53.221289Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::events_sent: Events sent. count=2 byte_size=3775 output=_default
2023-10-16T16:43:53.221310Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_core::fanout: Processing control message outside of send: ControlMessage::Add(ComponentKey { id: "files" })
2023-10-16T16:43:53.221328Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_buffers::topology::channel::limited_queue: Sent item.
2023-10-16T16:43:53.221362Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_core::fanout: Sent item to fanout.
2023-10-16T16:43:53.221387Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_received: Events received. count=2 byte_size=3775
2023-10-16T16:43:53.221416Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Computed next deadline. next_deadline=Instant { tv_sec: 2703362, tv_nsec: 380588611 } path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.221439Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Opening new file. path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.221866Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Writing an event to file. path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.221966Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_sent: Events sent. count=1 byte_size=782
2023-10-16T16:43:53.221992Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::internal_events::file: Bytes sent. byte_size=783 protocol="file" file=/opt/vector/data/dnstap_1697474631.log
2023-10-16T16:43:53.222034Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Computed next deadline. next_deadline=Instant { tv_sec: 2703362, tv_nsec: 381207632 } path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.222050Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Working with an already opened file. path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.222058Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Writing an event to file. path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:53.222206Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_sent: Events sent. count=1 byte_size=2990
2023-10-16T16:43:53.222225Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::internal_events::file: Bytes sent. byte_size=2993 protocol="file" file=/opt/vector/data/dnstap_1697474631.log
2023-10-16T16:43:53.370795Z TRACE vector: Beep.
2023-10-16T16:43:54.370797Z TRACE vector: Beep.
^C2023-10-16T16:43:55.158794Z  INFO vector::signal: Signal received. signal="SIGINT"
2023-10-16T16:43:55.158863Z  INFO vector: Vector has stopped.
2023-10-16T16:43:55.158952Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::sources::util::framestream: Finished sending.
2023-10-16T16:43:55.159104Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source finished normally.
2023-10-16T16:43:55.159123Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source pump finished normally.
2023-10-16T16:43:55.159166Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source pump supervisor task finished normally.
2023-10-16T16:43:55.159185Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Receiver exhausted, terminating the processing loop.
2023-10-16T16:43:55.159204Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Closing all the open files.
2023-10-16T16:43:55.160819Z  INFO vector::topology::running: Shutting down... Waiting on running components. remaining_components="files" time_remaining="59 seconds left"
2023-10-16T16:43:55.240218Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Successfully closed file. path=b"/opt/vector/data/dnstap_1697474631.log"
2023-10-16T16:43:55.240252Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::topology::builder: Sink finished normally.

Example Data

dig @192.168.1.145 +dnssec nominet.uk

Additional Context

No response

References

No response
@james-stevens james-stevens added the type: bug A code related bug. label Oct 16, 2023
@james-stevens
Copy link
Author

james-stevens commented Oct 16, 2023
edited
Loading

This is the trace logging the exact same DNS query & response dnstap data, but this time using vector v0.32.1

2023-10-16T16:46:31.780784Z TRACE vector: Beep.
2023-10-16T16:46:32.780776Z TRACE vector: Beep.
2023-10-16T16:46:32.780796Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::utilization: utilization=0.00029691273360209143
2023-10-16T16:46:33.780787Z TRACE vector: Beep.
2023-10-16T16:46:34.130835Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::bytes_received: Bytes received. byte_size=104 protocol=protobuf
2023-10-16T16:46:34.131822Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::socket: Events received. count=1 byte_size=759 mode=unix
2023-10-16T16:46:34.131859Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::bytes_received: Bytes received. byte_size=431 protocol=protobuf
2023-10-16T16:46:34.131956Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::socket: Events received. count=1 byte_size=1445 mode=unix
2023-10-16T16:46:34.132005Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_buffers::topology::channel::limited_queue: Sent item.
2023-10-16T16:46:34.132014Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector_common::internal_event::events_sent: Events sent. count=2 byte_size=2253 output=_default
2023-10-16T16:46:34.132034Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_core::fanout: Processing control message outside of send: ControlMessage::Add(ComponentKey { id: "files" })
2023-10-16T16:46:34.132058Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_buffers::topology::channel::limited_queue: Sent item.
2023-10-16T16:46:34.132072Z TRACE source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector_core::fanout: Sent item to fanout.
2023-10-16T16:46:34.132090Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_received: Events received. count=2 byte_size=2253
2023-10-16T16:46:34.132111Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Computed next deadline. next_deadline=Instant { tv_sec: 2703523, tv_nsec: 291283712 } path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.160210Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Opening new file. path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.160612Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Writing an event to file. path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.160787Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_sent: Events sent. count=1 byte_size=782
2023-10-16T16:46:34.160804Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::internal_events::file: Bytes sent. byte_size=783 protocol="file" file=/opt/vector/data/dnstap_1697474792.log
2023-10-16T16:46:34.160856Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Computed next deadline. next_deadline=Instant { tv_sec: 2703523, tv_nsec: 320029201 } path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.160883Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Working with an already opened file. path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.160904Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Writing an event to file. path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:34.161121Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector_common::internal_event::events_sent: Events sent. count=1 byte_size=1468
2023-10-16T16:46:34.161139Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::internal_events::file: Bytes sent. byte_size=1469 protocol="file" file=/opt/vector/data/dnstap_1697474792.log
2023-10-16T16:46:34.780779Z TRACE vector: Beep.
2023-10-16T16:46:35.780798Z TRACE vector: Beep.
^C2023-10-16T16:46:36.368366Z  INFO vector::signal: Signal received. signal="SIGINT"
2023-10-16T16:46:36.368453Z  INFO vector: Vector has stopped.
2023-10-16T16:46:36.368551Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::sources::util::framestream: Finished sending.
2023-10-16T16:46:36.368751Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source finished normally.
2023-10-16T16:46:36.368816Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source pump finished normally.
2023-10-16T16:46:36.368859Z DEBUG source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::topology::builder: Source pump supervisor task finished normally.
2023-10-16T16:46:36.368886Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Receiver exhausted, terminating the processing loop.
2023-10-16T16:46:36.368894Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Closing all the open files.
2023-10-16T16:46:36.368938Z  INFO vector::topology::running: Shutting down... Waiting on running components. remaining_components="files" time_remaining="59 seconds left"
2023-10-16T16:46:36.532078Z TRACE sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::sinks::file: Successfully closed file. path=b"/opt/vector/data/dnstap_1697474792.log"
2023-10-16T16:46:36.532117Z DEBUG sink{component_kind="sink" component_id=files component_type=file component_name=files}: vector::topology::builder: Sink finished normally.

The dig command I gave is just an example of a signed record, but I am seeing this when recording any signed responses using dnstap.

@james-stevens
Copy link
Author

james-stevens commented Oct 16, 2023
edited
Loading

I see in the error, the fourth "bytes received" is quite different

bad

vector::internal_events::socket: Events received. count=1 byte_size=2967 mode=unix

good

vector::internal_events::socket: Events received. count=1 byte_size=1445 mode=unix

Looking at the correct DNS response to the test query, the lower number seems more reasonable to me and I can see how getting the length incorrectly too long, and incorporating lots of extra spurious data, would cause the record parser to flag the packet as invalid.

NOTE: 192.168.1.145 is my internal test instance of unbound, set up to send dnstap records to vector.

The unbound that comes in the community repo for Alpine or in EPEL for RHEL9 both have dnstap enabled at compile time and this is a simple configuration for unbound on RHEL9 that I'm using for testing.

server:
	extended-statistics: yes
	chroot: ""

remote-control:
	control-enable: yes
	control-interface: /var/opt/unbound/unbound.control.sock

dnstap:
	dnstap-enable: yes
	dnstap-socket-path: "/run/dnstap.sock"
	dnstap-identity: "my_unbound"
	dnstap-log-resolver-query-messages: yes
	dnstap-log-resolver-response-messages: yes
	dnstap-log-client-query-messages: no
	dnstap-log-client-response-messages: no
	dnstap-log-forwarder-query-messages: no
	dnstap-log-forwarder-response-messages: no

This will only record the queries & responses when unbound communicates with the internet but not record the user's (client) queries.

NOTE: the unbound that comes in EPEL for RHEL9 has chroot enabled at build time, but my chroot option above disables this so it can see the vector socket. The unbound in the community repo for Alpine v3.18 does not have chroot enabled by default.

@james-stevens
Copy link
Author

I have confirmed this is NOT an issue for v0.32.2 on RHEL9 - DNSSEC/RRSIG records are correctly parsed using this version

vector 0.32.2 (x86_64-unknown-linux-gnu beb74c1 2023-09-20 19:46:02.271601143)

NOTE: For me, using the v0.32.2 binary provided by OEM required two environment variables to be set

VECTOR_OPENSSL_LEGACY_PROVIDER=false
VECTOR_CONFIG_YAML=/etc/vector/vector.yaml

The first one was a required setting related to openssl, the second was because I had used a YAML format config file, which is selected automatically in v0.33.0, but must be manually forced in v0.32.2

On RHEL9 these settings can be put into /etc/default/vector, but must also be exported in your shell if (for example) you wish to run vector validate

@neuronull
Copy link
Contributor

👋 Thanks for the report and detailed config(s) @james-stevens .

I was able to reproduce this locally on Ubuntu, using unbound v1.9.4 (with your config provided) , and the dig command you used.

Indeed the warning shows up in v0.33.0 but not in v0.32.0 or v0.32.2.

I'll paste my findings for the record. The next step is to sort out what caused this 😓

// start unbound

sudo /usr/sbin/unbound -c /etc/unbound/unbound.conf.d/myunbound.conf -d -v
[1697564463] unbound[101733:0] notice: Start of unbound 1.9.4.

// dig command

dig @localhost +dnssec nominet.uk

; <<>> DiG 9.16.1-Ubuntu <<>> @localhost +dnssec nominet.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30547
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nominet.uk.                    IN      A

;; ANSWER SECTION:
nominet.uk.             300     IN      A       162.159.134.42
nominet.uk.             300     IN      RRSIG   A 8 2 300 20231114194922 20231010191826 58609 nominet.uk. ia2h2FRTu3NFjGpZC5hyKSFxoo4MaYNqSSe/tPQC3uLMw7o1Hz/VyQk5 ElZ2KDpNqFkVJLSP0Lw6ppAAdYJd9zaff5iEQrxXexm4QuK41Pl0dxWC /XNpum1Gi9sEiCZnoSfVtxL/t9f/VU9ACEyXhyLpsgiEPOkQjIggSSV6 Mz7Yn47ftthRH6oLn+Ef3pwVbnDToePQ/SSpkigG55+Ro6aUTZiW3J6t SQoyO8QFduM8SnvIafEp66v+bqXwhRguytQOXs9TOd0lw2Y+b3CFK51a o0oDwAsCiU7v4UHZs5QYkCel8Wl6Zvsvfx+X8hDJWdYc4V6584m3oAkY MzJBRA==

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 17 17:42:25 UTC 2023
;; MSG SIZE  rcvd: 353

// vector v0.33.0

./vector-v0.33.0 -c vector.toml
2023-10-17T17:19:11.046958Z  INFO vector::app: Log level is enabled. level="vector=info,codec=info,vrl=info,file_source=info,tower_limit=info,rdkafka=info,buffers=info,lapin=info,kube=info"
2023-10-17T17:19:11.151323Z  INFO vector::app: Loading configs. paths=["vector.toml"]
2023-10-17T17:19:11.661762Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::sources::util::framestream: Socket permissions updated to 0o777.
2023-10-17T17:19:11.689989Z  INFO vector::topology::running: Running healthchecks.
2023-10-17T17:19:11.695932Z  INFO vector::topology::builder: Healthcheck passed.
2023-10-17T17:19:11.696417Z  INFO vector::topology::running: All healthchecks passed.
2023-10-17T17:19:11.712496Z  INFO vector: Vector has started. debug="true" version="0.33.0" arch="x86_64" revision=""
2023-10-17T17:19:11.717018Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::sources::util::framestream: Listening... path="/tmp/dnstap.sock" type="unix"
2023-10-17T17:19:11.804922Z  INFO vector::internal_events::api: API server running. address=127.0.0.1:8686 playground=http://127.0.0.1:8686/playground


2023-10-17T17:42:26.843043Z  WARN source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::dnstap: Internal log [Recoverable error occurred while parsing dnstap data.] has been suppressed 3 times.
2023-10-17T17:42:26.843091Z  WARN source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}:connection: vector::internal_events::dnstap: Recoverable error occurred while parsing dnstap data. error=Encountered error : Unsupported rdata DNSSEC(RRSIG(RRSIG(SIG { type_covered: DS, algorithm: RSASHA256, num_labels: 1, original_ttl: 86400, sig_expiration: 1698642000, sig_inception: 1697515200, key_tag: 46780, signer_name: Name("."), sig: [146, 96, 180, 149, 254, 4, 58, 193, 9, 39, 3, 76, 172, 215, 146, 163, 42, 207, 33, 20, 204, 179, 180, 149, 120, 86, 18, 235, 47, 245, 16, 94, 68, 241, 15, 191, 94, 134, 71, 203, 203, 249, 18, 213, 200, 160, 154, 196, 243, 204, 47, 202, 200, 53, 51, 231, 96, 112, 213, 236, 154, 54, 218, 4, 176, 193, 90, 14, 35, 40, 87, 182, 227, 5, 232, 92, 198, 65, 63, 182, 8, 100, 195, 176, 180, 13, 223, 69, 171, 94, 50, 170, 34, 2, 128, 12, 226, 17, 91, 171, 117, 252, 76, 225, 50, 31, 193, 165, 7, 234, 131, 105, 119, 1, 30, 32, 58, 220, 149, 30, 78, 81, 36, 159, 15, 206, 252, 92, 248, 138, 144, 45, 95, 253, 175, 82, 72, 116, 56, 225, 82, 114, 170, 156, 128, 209, 241, 179, 134, 143, 50, 101, 181, 62, 73, 236, 47, 122, 161, 136, 252, 37, 94, 107, 40, 173, 51, 118, 117, 135, 225, 121, 88, 85, 251, 232, 248, 189, 4, 121, 67, 163, 128, 176, 82, 222, 132, 93, 72, 158, 77, 148, 154, 189, 249, 34, 76, 96, 234, 20, 42, 41, 89, 22, 229, 187, 158, 189, 162, 10, 185, 19, 249, 199, 252, 81, 127, 233, 240, 209, 176, 82, 192, 186, 212, 99, 4, 120, 66, 135, 18, 26, 196, 180, 119, 126, 143, 220, 10, 247, 13, 35, 221, 98, 211, 221, 143, 215, 162, 73, 61, 132, 13, 60, 69, 53] }))) stage="processing" error_type="parser_failed" internal_log_rate_limit=true

// vector v0.32.0

./vector-v0.32.0 -c vector.toml
2023-10-17T17:46:19.540739Z  INFO vector::app: Log level is enabled. level="vector=info,codec=info,vrl=info,file_source=info,tower_limit=info,rdkafka=info,buffers=info,lapin=info,kube=info"
2023-10-17T17:46:19.540854Z  WARN vector::app: DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use.
2023-10-17T17:46:19.541448Z  INFO vector::app: Loaded openssl legacy provider.
2023-10-17T17:46:19.544779Z  INFO vector::app: Loading configs. paths=["vector.toml"]
2023-10-17T17:46:19.567558Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::sources::util::framestream: Socket permissions updated to 0o777.
2023-10-17T17:46:19.570725Z  INFO vector::topology::running: Running healthchecks.
2023-10-17T17:46:19.570914Z  INFO vector::topology::builder: Healthcheck passed.
2023-10-17T17:46:19.571016Z  INFO vector::topology::running: All healthchecks passed.
2023-10-17T17:46:19.571755Z  INFO vector: Vector has started. debug="true" version="0.32.0" arch="x86_64" revision=""
2023-10-17T17:46:19.571989Z  INFO source{component_kind="source" component_id=dnsdist component_type=dnstap component_name=dnsdist}: vector::sources::util::framestream: Listening... path="/tmp/dnstap.sock" type="unix"
2023-10-17T17:46:19.581451Z  INFO vector::internal_events::api: API server running. address=127.0.0.1:8686 playground=http://127.0.0.1:8686/playground

{"dataType":"Message","dataTypeId":1,"messageType":"ResolverQuery","messageTypeId":3,"queryZone":".","requestData":{"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":1,"cd":true,"id":18780,"nsCount":0,"opcode":0,"qdCount":1,"qr":0,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":4096},"question":[{"class":"IN","domainName":"uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responseAddress":"192.112.36.4","responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805794532000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.794532Z"}
{"dataType":"Message","dataTypeId":1,"messageType":"ResolverResponse","messageTypeId":4,"queryZone":".","requestData":{"time":1697564805794358000,"timePrecision":"ns"},"responseAddress":"192.112.36.4","responseData":{"additional":[{"class":"IN","domainName":"dns4.nic.uk.","rData":"43.230.48.1","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns3.nic.uk.","rData":"213.248.220.1","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns2.nic.uk.","rData":"103.49.80.1","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns1.nic.uk.","rData":"213.248.216.1","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"nsd.nic.uk.","rData":"156.154.103.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"nsc.nic.uk.","rData":"156.154.102.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"nsb.nic.uk.","rData":"156.154.101.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"nsa.nic.uk.","rData":"156.154.100.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns4.nic.uk.","rData":"2401:fd80:404::1","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns3.nic.uk.","rData":"2a01:618:404::1","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns2.nic.uk.","rData":"2401:fd80:400::1","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns1.nic.uk.","rData":"2a01:618:400::1","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"nsd.nic.uk.","rData":"2610:a1:1010::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"nsc.nic.uk.","rData":"2610:a1:1009::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"nsb.nic.uk.","rData":"2001:502:2eda::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"nsa.nic.uk.","rData":"2001:502:ad09::3","recordType":"AAAA","recordTypeId":28,"ttl":172800}],"authority":[{"class":"IN","domainName":"uk.","rData":"dns2.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"nsb.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"dns4.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"nsa.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"nsd.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"nsc.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"dns1.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"dns3.nic.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"uk.","rData":"43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353BC659603","recordType":"DS","recordTypeId":43,"ttl":86400},{"class":"IN","domainName":"uk.","rData":"DS 8 1 86400 1698642000 1697515200 46780 . kmC0lf4EOsEJJwNMrNeSoyrPIRTMs7SVeFYS6y/1EF5E8Q+/XoZHy8v5EtXIoJrE88wvysg1M+dgcNXsmjbaBLDBWg4jKFe24wXoXMZBP7YIZMOwtA3fRateMqoiAoAM4hFbq3X8TOEyH8GlB+qDaXcBHiA63JUeTlEknw/O/Fz4ipAtX/2vUkh0OOFScqqcgNHxs4aPMmW1PknsL3qhiPwlXmsorTN2dYfheVhV++j4vQR5Q6OAsFLehF1Ink2Umr35Ikxg6hQqKVkW5buevaIKuRP5x/xRf+nw0bBSwLrUYwR4QocSGsS0d36P3Ar3DSPdYtPdj9eiST2EDTxFNQ==","recordType":"RRSIG","recordTypeId":46,"ttl":86400}],"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":17,"cd":true,"id":18780,"nsCount":10,"opcode":0,"qdCount":1,"qr":1,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":1232},"question":[{"class":"IN","domainName":"uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805820438000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.820438Z"}
{"dataType":"Message","dataTypeId":1,"messageType":"ResolverQuery","messageTypeId":3,"queryZone":"uk.","requestData":{"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":1,"cd":true,"id":16883,"nsCount":0,"opcode":0,"qdCount":1,"qr":0,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":4096},"question":[{"class":"IN","domainName":"nominet.uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responseAddress":"43.230.48.1","responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805820617000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.820617Z"}
{"dataType":"Message","dataTypeId":1,"messageType":"ResolverResponse","messageTypeId":4,"queryZone":"uk.","requestData":{"time":1697564805820438000,"timePrecision":"ns"},"responseAddress":"43.230.48.1","responseData":{"additional":[{"class":"IN","domainName":"dns1.nominetdns.uk.","rData":"213.248.219.254","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns2.nominetdns.uk.","rData":"103.49.83.254","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns3.nominetdns.uk.","rData":"213.248.223.254","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns4.nominetdns.uk.","rData":"43.230.51.254","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dnsa.nominetdns.uk.","rData":"156.154.100.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dnsb.nominetdns.uk.","rData":"156.154.101.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dnsc.nominetdns.uk.","rData":"156.154.102.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dnsd.nominetdns.uk.","rData":"156.154.103.3","recordType":"A","recordTypeId":1,"ttl":172800},{"class":"IN","domainName":"dns1.nominetdns.uk.","rData":"2a01:618:403::254","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns2.nominetdns.uk.","rData":"2401:fd80:403::254","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns3.nominetdns.uk.","rData":"2a01:618:407::254","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dns4.nominetdns.uk.","rData":"2401:fd80:407::254","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dnsa.nominetdns.uk.","rData":"2001:502:ad09::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dnsb.nominetdns.uk.","rData":"2001:502:2eda::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dnsc.nominetdns.uk.","rData":"2610:a1:1009::3","recordType":"AAAA","recordTypeId":28,"ttl":172800},{"class":"IN","domainName":"dnsd.nominetdns.uk.","rData":"2610:a1:1010::3","recordType":"AAAA","recordTypeId":28,"ttl":172800}],"authority":[{"class":"IN","domainName":"nominet.uk.","rData":"dns1.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns2.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns3.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns4.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsa.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsb.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsc.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsd.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"30245 8 2 EF1A5174815CB7D7A45C5A8327C48604240545EDF1B1B10D9DBA8BDA77335CEF","recordType":"DS","recordTypeId":43,"ttl":3600},{"class":"IN","domainName":"nominet.uk.","rData":"DS 8 2 3600 1698697247 1697485704 43056 uk. 0rwMj9215paeP/lje0ZnvCU7WyezELYI55I12/yGq0soWkSr9oJ6Ys8crSGIddxtOtwaJW49+h5zEkEyRONoIsKXuv6UQSoJpNzsNS8/XLnCvle/T+dRgbJhA0E8rNINqENGrQ3baj2NuX2sC9GZby7KNjiWmehAD31kfo5Lt1Q=","recordType":"RRSIG","recordTypeId":46,"ttl":3600}],"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":17,"cd":false,"id":16883,"nsCount":10,"opcode":0,"qdCount":1,"qr":1,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":4096},"question":[{"class":"IN","domainName":"nominet.uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805886694000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.886694Z"}
{"dataType":"Message","dataTypeId":1,"messageType":"ResolverQuery","messageTypeId":3,"queryZone":"nominet.uk.","requestData":{"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":1,"cd":true,"id":12568,"nsCount":0,"opcode":0,"qdCount":1,"qr":0,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":4096},"question":[{"class":"IN","domainName":"nominet.uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responseAddress":"103.49.83.254","responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805886878000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.886878Z"}
{"dataType":"Message","dataTypeId":1,"messageType":"ResolverResponse","messageTypeId":4,"queryZone":"nominet.uk.","requestData":{"time":1697564805886694000,"timePrecision":"ns"},"responseAddress":"103.49.83.254","responseData":{"answers":[{"class":"IN","domainName":"nominet.uk.","rData":"162.159.134.42","recordType":"A","recordTypeId":1,"ttl":300},{"class":"IN","domainName":"nominet.uk.","rData":"A 8 2 300 1699991362 1696965506 58609 nominet.uk. ia2h2FRTu3NFjGpZC5hyKSFxoo4MaYNqSSe/tPQC3uLMw7o1Hz/VyQk5ElZ2KDpNqFkVJLSP0Lw6ppAAdYJd9zaff5iEQrxXexm4QuK41Pl0dxWC/XNpum1Gi9sEiCZnoSfVtxL/t9f/VU9ACEyXhyLpsgiEPOkQjIggSSV6Mz7Yn47ftthRH6oLn+Ef3pwVbnDToePQ/SSpkigG55+Ro6aUTZiW3J6tSQoyO8QFduM8SnvIafEp66v+bqXwhRguytQOXs9TOd0lw2Y+b3CFK51ao0oDwAsCiU7v4UHZs5QYkCel8Wl6Zvsvfx+X8hDJWdYc4V6584m3oAkYMzJBRA==","recordType":"RRSIG","recordTypeId":46,"ttl":300}],"authority":[{"class":"IN","domainName":"nominet.uk.","rData":"dns1.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns2.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns3.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dns4.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsa.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsb.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsc.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"dnsd.nominetdns.uk.","recordType":"NS","recordTypeId":2,"ttl":172800},{"class":"IN","domainName":"nominet.uk.","rData":"NS 8 2 172800 1699991362 1696965506 58609 nominet.uk. D/XG+femiw/HeKpls7Cvnce15jR/KnzBbAeKHLwwtob0NHO8xWe3X2aNTIBYh2f0yWB2GRSMfr28ltib9xmOQbuH2NGymChUngnlatg9pFqZJ3DDZ99KsxJzfePhJvEIzUMVBPLbDK4dtudiweACje8Z0aM0TKuUXyrjE7Qx0WRC2tmcal7HJcGfMHB6hr/YiiMBlToSexIAzSjcpYyYV940TMyBV+4+yU16DgVDtjM+vMu2g2i/XVEQ1v42whOoVHw04ZNh0rMfjllyf92x6kSu2TRA3faoVa10qjUBCBQ29efLWr6cD/iPtsHBoEFvlw1BGWFp8Fan+GMzyf6qkA==","recordType":"RRSIG","recordTypeId":46,"ttl":172800}],"fullRcode":0,"header":{"aa":true,"ad":false,"anCount":2,"arCount":1,"cd":true,"id":12568,"nsCount":9,"opcode":0,"qdCount":1,"qr":1,"ra":false,"rcode":0,"rd":false,"tc":false},"opt":{"do":true,"ednsVersion":0,"extendedRcode":0,"udpPayloadSize":1232},"question":[{"class":"IN","domainName":"nominet.uk.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError"},"responsePort":53,"socketFamily":"INET","socketProtocol":"UDP","source_type":"dnstap","time":1697564805931758000,"timePrecision":"ns","timestamp":"2023-10-17T17:46:45.931758Z"}

@neuronull neuronull added the meta: confirmed A bug that has been reproduced or confirmed. label Oct 17, 2023
@neuronull
Copy link
Contributor

Ok, I think I tracked this down.

In Vector v0.33.0, this included a commit which upgraded the trust-dns-proto crate, which is used in the parsing of the dns messages for the dnstap source (#18349)

That dependency crate upgrade from v0.22.0 to v0.23.0 , introduced this change: hickory-dns/hickory-dns@0f21992#diff-21e0dc5da2afd7765e8fb341c7d09d6442bf9b6c6731dd3e6f1f30d4fe7d0d06 , wherein the enum DNSSECRData was expanded with a new variant, RSIG.

We can see from the warning message in the Vector log that this is the rdata type we are receiving:

Unsupported rdata DNSSEC(RRSIG(RRSIG(SIG

Inspecting the relevant code, it looks like that rdata type was previously considered "Unknown" by the trust-dns-proto , and in Vector we considered that Ok. But now it falls into the catch-all case in Vector, because we don't have a specific handling for the RSIG rdata type.

vector/lib/dnsmsg-parser/src/dns_message_parser.rs

Lines 747 to 750 in 8a5b67e

DNSSECRData::Unknown { code: _, rdata } => Ok((None, Some(rdata.anything().to_vec()))),
_ => Err(DnsMessageParserError::SimpleError {
cause: format!("Unsupported rdata {:?}", rdata),
}),

So this is a case of an upstream dependency upgrade silently (our existing tests didn't cover this case) introducing logic that results in a functional regression in Vector.
I think the fix will just involve expanding the dnsmsg-parser library in Vector, to properly handle the new rdata type. We should probably also add some tests for this.

@neuronull neuronull added source: dnstap Anything `dnstap` source related domain: parsing Anything related to parsing within Vector labels Oct 17, 2023
@neuronull neuronull self-assigned this Oct 17, 2023
@neuronull
Copy link
Contributor

I am working on the fix for this.

@james-stevens
Copy link
Author

I am working on the fix for this.

thanks, mate !!

@neuronull neuronull mentioned this issue Oct 18, 2023
Merged
@james-stevens
Copy link
Author

that was quick !

@james-stevens james-stevens mentioned this issue Nov 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neuronull neuronull

Labels
domain: parsing Anything related to parsing within Vector meta: confirmed A bug that has been reproduced or confirmed. source: dnstap Anything `dnstap` source related type: bug A code related bug.
Projects
None yet
Milestone
Vector v0.33.1
Development

Successfully merging a pull request may close this issue.

fix(dnstap source): support DNSSEC RRSIG record data vectordotdev/vector
3 participants
@jszwedko @neuronull @james-stevens