Maintained by: NLnet Labs

[Unbound-users] [Q] HINFO in signed zone results SERVFAIL, but NOERROR with BIND

W.C.A. Wijngaards
Tue Jan 6 13:05:01 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Koh-ichi,

This is an interpretation problem in RFC4034 6.2(3).

A workaround is to give your HINFO in lowercase:
	HINFO "vmware" "freebsd"

Unbound lowercases all text in the rdata of HINFO records before
verification.  Because that is what I believe RFC4034 6.2(3) means.

Other software (ldns, bind) does not lowercase HINFO rdata, it seems.
It would be prudent to find a common interpretation.  Something for
dnsext, already posted there.

Of course putting up a lowercase HINFO entry is against RFC1010, which
mandates all uppercase, and only - and /.  Also the first word is the
CPU and second OS. Thus,
	HINFO "INTEL-CORE-I7-920" "FREEBSD-7-0"
This would be appropriate use according to RFC1034/1035.

However the strings do not appear in the allowed list in
http://www.iana.org/assignments/machine-names
http://www.iana.org/assignments/operating-system-names
so, 	HINFO "INTEL-386" "FREEBSD"

however, due to the interpretation problems in RFC4034 you are not
guaranteed DNSSEC verification unless you put this in lowercase,
	HINFO "intel-386" "freebsd"

Best regards,
   Wouter

Koh-ichi Ito wrote:
> Hello,
> 
> I experience the following problem with unbound-1.1.1.
> A bug? or I hope somebody to kindly point out my fault.
> 
> What I did is the following.
> - Sign a zone data of "example.jp", which contains an HINFO
>   RR, with dnssec-signzone in BIND-9.4.2, key is generated
>   by dnssec-keygen in BIND-9.4.2, too.
> - Serve the zone by NSD 3.2.0.
> 
> The result is the following.
> - Look up the HINFO RR via named(recursive only) results
>   NOERROR
> - Look up via unbound 1.1.1 results SERVFAIL. unbound says
>   "message contains bad rrsets" at the time.
> - Look up the A RR of same owner via unbound results
>   NOERROR.
> 
> # example.jp before signing:
> $TTL 1m
> @	IN	SOA	ns.example.jp. hostmaster.example.jp. (
> 			0	; overridden by dnssec-signzone
> 			15m
> 			10m
> 			4w
> 			15m)
> $INCLUDE ksk.key
> $INCLUDE zsk.key
> 	NS	ns.example.jp.
> ns	A	10.2.0.18
> foo	A	10.20.30.40
> 	HINFO	VMware FreeBSD
> --------------------------------------------------
> 
> # signed zone data around "foo.example.jp":
> foo.example.jp.		60	IN A	10.20.30.40
> 			60	RRSIG	A 5 3 60 20090220070924 (
> 					20090106070924 13872 example.jp.
> 					XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9
> 					QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF
> 					GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA
> 					v/2cz7GCmFExsEuRhlCQ )
> 			60	HINFO	"VMware" "FreeBSD"
> 			60	RRSIG	HINFO 5 3 60 20090220070924 (
> 					20090106070924 13872 example.jp.
> 					YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd
> 					o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp
> 					1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I
> 					U1s8GYlyyx6NWEDRSi11 )
> 			900	NSEC	ns.example.jp. A HINFO RRSIG NSEC
> 			900	RRSIG	NSEC 5 3 900 20090220070924 (
> 					20090106070924 13872 example.jp.
> 					UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx
> 					20YePlbVgUQDAK6himevg605SxfNULrnGH3i
> 					3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV
> 					QzPh0O0wvux8BqWNYR98 )
> --------------------------------------------------
> # output of dig via unbound:
> 
> Script started on Tue Jan  6 17:20:12 2009
> kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
> 
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp.			IN	HINFO
> 
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan  6 17:20:26 2009
> ;; MSG SIZE  rcvd: 43
> 
> kohi at vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A
> 
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp.			IN	A
> 
> ;; ANSWER SECTION:
> foo.example.jp.		60	IN	A	10.20.30.40
> foo.example.jp.		60	IN	RRSIG	A 5 3 60 20090220070924 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ
> 
> ;; AUTHORITY SECTION:
> example.jp.		60	IN	NS	ns.example.jp.
> example.jp.		60	IN	RRSIG	NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
> 
> ;; ADDITIONAL SECTION:
> ns.example.jp.		60	IN	A	10.2.0.18
> ns.example.jp.		60	IN	RRSIG	A 5 3 60 20090220070924 20090106070924 13872 example.jp. Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3
> 
> ;; Query time: 2 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan  6 17:20:37 2009
> ;; MSG SIZE  rcvd: 506
> 
> kohi at vm1[3]% exit
> 
> Script done on Tue Jan  6 17:20:39 2009
> --------------------------------------------------
> 
> # output of dig via named:
> 
> Script started on Tue Jan  6 17:19:00 2009
> kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
> 
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp.			IN	HINFO
> 
> ;; ANSWER SECTION:
> foo.example.jp.		60	IN	HINFO	"VMware" "FreeBSD"
> foo.example.jp.		60	IN	RRSIG	HINFO 5 3 60 20090220070924 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3 yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11
> 
> ;; AUTHORITY SECTION:
> example.jp.		60	IN	NS	ns.example.jp.
> example.jp.		60	IN	RRSIG	NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
> 
> ;; Query time: 6 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan  6 17:19:18 2009
> ;; MSG SIZE  rcvd: 363
> 
> kohi at vm1[2]% exit
> 
> Script done on Tue Jan  6 17:19:20 2009
> --------------------------------------------------
> 
> # output of unbound:
> 
> Script started on Tue Jan  6 17:19:43 2009
> kohi at vm1[1]% /usr/bin/su
> Password:
> vm1# /proj/unbound-1.1.1/sbin/unbound -d -v
> [1231229999] unbound[28416:0] notice: Start of unbound 1.1.1.
> [1231229999] unbound[28416:0] notice: init module 0: validator
> [1231229999] unbound[28416:0] notice: init module 1: iterator
> [1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time and pid
> [1231229999] unbound[28416:0] info: start of service (unbound 1.1.1).
> [1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN>
> [1231230026] unbound[28416:0] info: priming . IN NS
> [1231230026] unbound[28416:0] info: response for <. NS IN>
> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: priming successful for <. NS IN>
> [1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN>
> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: prime trust anchor
> [1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY): sec_status_secure
> [1231230026] unbound[28416:0] info: Successfully primed trust anchor <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: Validate: message contains bad rrsets
> [1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN>
> [1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN>
> [1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
> [1231230037] unbound[28416:0] info: query response was ANSWER
> [1231230037] unbound[28416:0] info: validate(positive): sec_status_secure
> [1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN>
> ^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1).
> [1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions
> [1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
> [1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out
> [1231230041] unbound[28416:0] info: average recursion processing time 0.001426 sec
> [1231230041] unbound[28416:0] info: histogram of recursion processing times
> [1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0
> [1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions
> [1231230041] unbound[28416:0] info:    0.000512    0.001024 1
> [1231230041] unbound[28416:0] info:    0.002048    0.004096 1
> vm1# exit
> exit
> kohi at vm1[2]% exit
> 
> Script done on Tue Jan  6 17:20:45 2009
> --------------------------------------------------
> 
> # unbound.conf:
> 
> server:
> 	do-ip6: no
> 	chroot: /proj/unbound
> 	root-hints: fake-root
> 	username: bind
> 	logfile: ""
> 	pidfile: /var/run/unbound.pid
> #	trust-anchor-file: trust-anchor/dsset-example.jp.
> #	trust-anchor-file: trust-anchor/keyset-example.jp.
> 	trusted-keys-file: trusted-keys/example.jp
> 
> remote-control:
> 	control-enable: yes
> --------------------------------------------------
> 
> 
> If any other information is required, please let me known.
> 
> Don't ask the reason why I wish to use HINFO today :-p
> 
> Thanks in advance.
> 
> 					Koh-ichi Ito
> 				Internet Research Institute, Inc.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkljSOwACgkQkDLqNwOhpPhBTgCZAQK3GYejx9fbQrFJtxFpheUZ
riAAnjMswKq0CxcBOXaUqh3gNPkF0/rH
=SiKb
-----END PGP SIGNATURE-----