Maintained by: NLnet Labs

[Unbound-users] [Q] HINFO in signed zone results SERVFAIL, but NOERROR with BIND

Koh-ichi Ito
Tue Jan 6 09:59:32 CET 2009


Hello,

I experience the following problem with unbound-1.1.1.
A bug? or I hope somebody to kindly point out my fault.

What I did is the following.
- Sign a zone data of "example.jp", which contains an HINFO
  RR, with dnssec-signzone in BIND-9.4.2, key is generated
  by dnssec-keygen in BIND-9.4.2, too.
- Serve the zone by NSD 3.2.0.

The result is the following.
- Look up the HINFO RR via named(recursive only) results
  NOERROR
- Look up via unbound 1.1.1 results SERVFAIL. unbound says
  "message contains bad rrsets" at the time.
- Look up the A RR of same owner via unbound results
  NOERROR.

# example.jp before signing:
$TTL 1m
@	IN	SOA	ns.example.jp. hostmaster.example.jp. (
			0	; overridden by dnssec-signzone
			15m
			10m
			4w
			15m)
$INCLUDE ksk.key
$INCLUDE zsk.key
	NS	ns.example.jp.
ns	A	10.2.0.18
foo	A	10.20.30.40
	HINFO	VMware FreeBSD
--------------------------------------------------

# signed zone data around "foo.example.jp":
foo.example.jp.		60	IN A	10.20.30.40
			60	RRSIG	A 5 3 60 20090220070924 (
					20090106070924 13872 example.jp.
					XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9
					QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF
					GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA
					v/2cz7GCmFExsEuRhlCQ )
			60	HINFO	"VMware" "FreeBSD"
			60	RRSIG	HINFO 5 3 60 20090220070924 (
					20090106070924 13872 example.jp.
					YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd
					o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp
					1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I
					U1s8GYlyyx6NWEDRSi11 )
			900	NSEC	ns.example.jp. A HINFO RRSIG NSEC
			900	RRSIG	NSEC 5 3 900 20090220070924 (
					20090106070924 13872 example.jp.
					UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx
					20YePlbVgUQDAK6himevg605SxfNULrnGH3i
					3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV
					QzPh0O0wvux8BqWNYR98 )
--------------------------------------------------
# output of dig via unbound:

Script started on Tue Jan  6 17:20:12 2009
kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO

; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp.			IN	HINFO

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  6 17:20:26 2009
;; MSG SIZE  rcvd: 43

kohi at vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A

; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp.			IN	A

;; ANSWER SECTION:
foo.example.jp.		60	IN	A	10.20.30.40
foo.example.jp.		60	IN	RRSIG	A 5 3 60 20090220070924 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ

;; AUTHORITY SECTION:
example.jp.		60	IN	NS	ns.example.jp.
example.jp.		60	IN	RRSIG	NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH

;; ADDITIONAL SECTION:
ns.example.jp.		60	IN	A	10.2.0.18
ns.example.jp.		60	IN	RRSIG	A 5 3 60 20090220070924 20090106070924 13872 example.jp. Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  6 17:20:37 2009
;; MSG SIZE  rcvd: 506

kohi at vm1[3]% exit

Script done on Tue Jan  6 17:20:39 2009
--------------------------------------------------

# output of dig via named:

Script started on Tue Jan  6 17:19:00 2009
kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO

; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp.			IN	HINFO

;; ANSWER SECTION:
foo.example.jp.		60	IN	HINFO	"VMware" "FreeBSD"
foo.example.jp.		60	IN	RRSIG	HINFO 5 3 60 20090220070924 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3 yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11

;; AUTHORITY SECTION:
example.jp.		60	IN	NS	ns.example.jp.
example.jp.		60	IN	RRSIG	NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  6 17:19:18 2009
;; MSG SIZE  rcvd: 363

kohi at vm1[2]% exit

Script done on Tue Jan  6 17:19:20 2009
--------------------------------------------------

# output of unbound:

Script started on Tue Jan  6 17:19:43 2009
kohi at vm1[1]% /usr/bin/su
Password:
vm1# /proj/unbound-1.1.1/sbin/unbound -d -v
[1231229999] unbound[28416:0] notice: Start of unbound 1.1.1.
[1231229999] unbound[28416:0] notice: init module 0: validator
[1231229999] unbound[28416:0] notice: init module 1: iterator
[1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time and pid
[1231229999] unbound[28416:0] info: start of service (unbound 1.1.1).
[1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN>
[1231230026] unbound[28416:0] info: priming . IN NS
[1231230026] unbound[28416:0] info: response for <. NS IN>
[1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: priming successful for <. NS IN>
[1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN>
[1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: prime trust anchor
[1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY): sec_status_secure
[1231230026] unbound[28416:0] info: Successfully primed trust anchor <example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: Validate: message contains bad rrsets
[1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN>
[1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN>
[1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
[1231230037] unbound[28416:0] info: query response was ANSWER
[1231230037] unbound[28416:0] info: validate(positive): sec_status_secure
[1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN>
^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1).
[1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions
[1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
[1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out
[1231230041] unbound[28416:0] info: average recursion processing time 0.001426 sec
[1231230041] unbound[28416:0] info: histogram of recursion processing times
[1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0
[1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions
[1231230041] unbound[28416:0] info:    0.000512    0.001024 1
[1231230041] unbound[28416:0] info:    0.002048    0.004096 1
vm1# exit
exit
kohi at vm1[2]% exit

Script done on Tue Jan  6 17:20:45 2009
--------------------------------------------------

# unbound.conf:

server:
	do-ip6: no
	chroot: /proj/unbound
	root-hints: fake-root
	username: bind
	logfile: ""
	pidfile: /var/run/unbound.pid
#	trust-anchor-file: trust-anchor/dsset-example.jp.
#	trust-anchor-file: trust-anchor/keyset-example.jp.
	trusted-keys-file: trusted-keys/example.jp

remote-control:
	control-enable: yes
--------------------------------------------------


If any other information is required, please let me known.

Don't ask the reason why I wish to use HINFO today :-p

Thanks in advance.

					Koh-ichi Ito
				Internet Research Institute, Inc.