Hello, I experience the following problem with unbound-1.1.1. A bug? or I hope somebody to kindly point out my fault. What I did is the following. - Sign a zone data of "example.jp", which contains an HINFO RR, with dnssec-signzone in BIND-9.4.2, key is generated by dnssec-keygen in BIND-9.4.2, too. - Serve the zone by NSD 3.2.0. The result is the following. - Look up the HINFO RR via named(recursive only) results NOERROR - Look up via unbound 1.1.1 results SERVFAIL. unbound says "message contains bad rrsets" at the time. - Look up the A RR of same owner via unbound results NOERROR. # example.jp before signing: $TTL 1m @ IN SOA ns.example.jp. hostmaster.example.jp. ( 0 ; overridden by dnssec-signzone 15m 10m 4w 15m) $INCLUDE ksk.key $INCLUDE zsk.key NS ns.example.jp. ns A 10.2.0.18 foo A 10.20.30.40 HINFO VMware FreeBSD -------------------------------------------------- # signed zone data around "foo.example.jp": foo.example.jp. 60 IN A 10.20.30.40 60 RRSIG A 5 3 60 20090220070924 ( 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9 QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA v/2cz7GCmFExsEuRhlCQ ) 60 HINFO "VMware" "FreeBSD" 60 RRSIG HINFO 5 3 60 20090220070924 ( 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp 1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I U1s8GYlyyx6NWEDRSi11 ) 900 NSEC ns.example.jp. A HINFO RRSIG NSEC 900 RRSIG NSEC 5 3 900 20090220070924 ( 20090106070924 13872 example.jp. UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx 20YePlbVgUQDAK6himevg605SxfNULrnGH3i 3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV QzPh0O0wvux8BqWNYR98 ) -------------------------------------------------- # output of dig via unbound: Script started on Tue Jan 6 17:20:12 2009 kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;foo.example.jp. IN HINFO ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jan 6 17:20:26 2009 ;; MSG SIZE rcvd: 43 kohi at vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;foo.example.jp. IN A ;; ANSWER SECTION: foo.example.jp. 60 IN A 10.20.30.40 foo.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ ;; AUTHORITY SECTION: example.jp. 60 IN NS ns.example.jp. example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH ;; ADDITIONAL SECTION: ns.example.jp. 60 IN A 10.2.0.18 ns.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jan 6 17:20:37 2009 ;; MSG SIZE rcvd: 506 kohi at vm1[3]% exit Script done on Tue Jan 6 17:20:39 2009 -------------------------------------------------- # output of dig via named: Script started on Tue Jan 6 17:19:00 2009 kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;foo.example.jp. IN HINFO ;; ANSWER SECTION: foo.example.jp. 60 IN HINFO "VMware" "FreeBSD" foo.example.jp. 60 IN RRSIG HINFO 5 3 60 20090220070924 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3 yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11 ;; AUTHORITY SECTION: example.jp. 60 IN NS ns.example.jp. example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jan 6 17:19:18 2009 ;; MSG SIZE rcvd: 363 kohi at vm1[2]% exit Script done on Tue Jan 6 17:19:20 2009 -------------------------------------------------- # output of unbound: Script started on Tue Jan 6 17:19:43 2009 kohi at vm1[1]% /usr/bin/su Password: vm1# /proj/unbound-1.1.1/sbin/unbound -d -v [1231229999] unbound[28416:0] notice: Start of unbound 1.1.1. [1231229999] unbound[28416:0] notice: init module 0: validator [1231229999] unbound[28416:0] notice: init module 1: iterator [1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time and pid [1231229999] unbound[28416:0] info: start of service (unbound 1.1.1). [1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN> [1231230026] unbound[28416:0] info: priming . IN NS [1231230026] unbound[28416:0] info: response for <. NS IN> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53 [1231230026] unbound[28416:0] info: query response was ANSWER [1231230026] unbound[28416:0] info: priming successful for <. NS IN> [1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53 [1231230026] unbound[28416:0] info: query response was ANSWER [1231230026] unbound[28416:0] info: prime trust anchor [1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN> [1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN> [1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53 [1231230026] unbound[28416:0] info: query response was ANSWER [1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY): sec_status_secure [1231230026] unbound[28416:0] info: Successfully primed trust anchor <example.jp. DNSKEY IN> [1231230026] unbound[28416:0] info: Validate: message contains bad rrsets [1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN> [1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN> [1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53 [1231230037] unbound[28416:0] info: query response was ANSWER [1231230037] unbound[28416:0] info: validate(positive): sec_status_secure [1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN> ^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1). [1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions [1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 [1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out [1231230041] unbound[28416:0] info: average recursion processing time 0.001426 sec [1231230041] unbound[28416:0] info: histogram of recursion processing times [1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0 [1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions [1231230041] unbound[28416:0] info: 0.000512 0.001024 1 [1231230041] unbound[28416:0] info: 0.002048 0.004096 1 vm1# exit exit kohi at vm1[2]% exit Script done on Tue Jan 6 17:20:45 2009 -------------------------------------------------- # unbound.conf: server: do-ip6: no chroot: /proj/unbound root-hints: fake-root username: bind logfile: "" pidfile: /var/run/unbound.pid # trust-anchor-file: trust-anchor/dsset-example.jp. # trust-anchor-file: trust-anchor/keyset-example.jp. trusted-keys-file: trusted-keys/example.jp remote-control: control-enable: yes -------------------------------------------------- If any other information is required, please let me known. Don't ask the reason why I wish to use HINFO today :-p Thanks in advance. Koh-ichi Ito Internet Research Institute, Inc.