Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

W.C.A. Wijngaards
Thu Aug 27 11:08:31 CEST 2009


Hi Stephane,

Can you give me more details?
Once DLV got the DNSKEY is remains valid for the TTL ;
which for ripe is 1 hour.

Can you give the output of the query +cdflag (what was the
data that failed?)

for me dig +sigchase for that name works fine.
Also unbound-host when given the ripe.net key.

Best regards,
   Wouter

On 08/27/2009 09:49 AM, Stephane Bortzmeyer wrote:
> On Tue, Jun 30, 2009 at 02:24:12PM +0200,
>  W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote 
>  a message of 71 lines which said:
> 
>> I think the problem is the recent NSEC+RRSIG parse bug I fixed.  In the
>> ANY queries that is present and can lead to the problem, the bug is
>> triggered based on ordering in the packet, and this causes the
>> randomness for you.
>>
>> So, it is fixed in subversion trunk and perhaps I should consider making
>> a bugfix release :-)
> 
> I have a similar (?) problem with the 1.3.2 release.
> 
> % dig +dnssec AAAA ns-cm.ripe.net 
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19685
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
> ...
> ns-cm.ripe.net.         172417  IN      AAAA    2001:610:240:0:53:cc:12:38
> ...
> 
> (Same thing for A queries.)
> 
> % dig +dnssec ANY ns-cm.ripe.net   
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20929
> ...
> 
> Other names, like ns-co.ripe.net, work fine.