-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Koh-ichi, This is an interpretation problem in RFC4034 6.2(3). A workaround is to give your HINFO in lowercase: HINFO "vmware" "freebsd" Unbound lowercases all text in the rdata of HINFO records before verification. Because that is what I believe RFC4034 6.2(3) means. Other software (ldns, bind) does not lowercase HINFO rdata, it seems. It would be prudent to find a common interpretation. Something for dnsext, already posted there. Of course putting up a lowercase HINFO entry is against RFC1010, which mandates all uppercase, and only - and /. Also the first word is the CPU and second OS. Thus, HINFO "INTEL-CORE-I7-920" "FREEBSD-7-0" This would be appropriate use according to RFC1034/1035. However the strings do not appear in the allowed list in http://www.iana.org/assignments/machine-names http://www.iana.org/assignments/operating-system-names so, HINFO "INTEL-386" "FREEBSD" however, due to the interpretation problems in RFC4034 you are not guaranteed DNSSEC verification unless you put this in lowercase, HINFO "intel-386" "freebsd" Best regards, Wouter Koh-ichi Ito wrote: > Hello, > > I experience the following problem with unbound-1.1.1. > A bug? or I hope somebody to kindly point out my fault. > > What I did is the following. > - Sign a zone data of "example.jp", which contains an HINFO > RR, with dnssec-signzone in BIND-9.4.2, key is generated > by dnssec-keygen in BIND-9.4.2, too. > - Serve the zone by NSD 3.2.0. > > The result is the following. > - Look up the HINFO RR via named(recursive only) results > NOERROR > - Look up via unbound 1.1.1 results SERVFAIL. unbound says > "message contains bad rrsets" at the time. > - Look up the A RR of same owner via unbound results > NOERROR. > > # example.jp before signing: > $TTL 1m > @ IN SOA ns.example.jp. hostmaster.example.jp. ( > 0 ; overridden by dnssec-signzone > 15m > 10m > 4w > 15m) > $INCLUDE ksk.key > $INCLUDE zsk.key > NS ns.example.jp. > ns A 10.2.0.18 > foo A 10.20.30.40 > HINFO VMware FreeBSD > -------------------------------------------------- > > # signed zone data around "foo.example.jp": > foo.example.jp. 60 IN A 10.20.30.40 > 60 RRSIG A 5 3 60 20090220070924 ( > 20090106070924 13872 example.jp. > XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9 > QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF > GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA > v/2cz7GCmFExsEuRhlCQ ) > 60 HINFO "VMware" "FreeBSD" > 60 RRSIG HINFO 5 3 60 20090220070924 ( > 20090106070924 13872 example.jp. > YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd > o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp > 1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I > U1s8GYlyyx6NWEDRSi11 ) > 900 NSEC ns.example.jp. A HINFO RRSIG NSEC > 900 RRSIG NSEC 5 3 900 20090220070924 ( > 20090106070924 13872 example.jp. > UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx > 20YePlbVgUQDAK6himevg605SxfNULrnGH3i > 3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV > QzPh0O0wvux8BqWNYR98 ) > -------------------------------------------------- > # output of dig via unbound: > > Script started on Tue Jan 6 17:20:12 2009 > kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO > > ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;foo.example.jp. IN HINFO > > ;; Query time: 4 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jan 6 17:20:26 2009 > ;; MSG SIZE rcvd: 43 > > kohi at vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A > > ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;foo.example.jp. IN A > > ;; ANSWER SECTION: > foo.example.jp. 60 IN A 10.20.30.40 > foo.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ > > ;; AUTHORITY SECTION: > example.jp. 60 IN NS ns.example.jp. > example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH > > ;; ADDITIONAL SECTION: > ns.example.jp. 60 IN A 10.2.0.18 > ns.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3 > > ;; Query time: 2 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jan 6 17:20:37 2009 > ;; MSG SIZE rcvd: 506 > > kohi at vm1[3]% exit > > Script done on Tue Jan 6 17:20:39 2009 > -------------------------------------------------- > > # output of dig via named: > > Script started on Tue Jan 6 17:19:00 2009 > kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO > > ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;foo.example.jp. IN HINFO > > ;; ANSWER SECTION: > foo.example.jp. 60 IN HINFO "VMware" "FreeBSD" > foo.example.jp. 60 IN RRSIG HINFO 5 3 60 20090220070924 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3 yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11 > > ;; AUTHORITY SECTION: > example.jp. 60 IN NS ns.example.jp. > example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH > > ;; Query time: 6 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jan 6 17:19:18 2009 > ;; MSG SIZE rcvd: 363 > > kohi at vm1[2]% exit > > Script done on Tue Jan 6 17:19:20 2009 > -------------------------------------------------- > > # output of unbound: > > Script started on Tue Jan 6 17:19:43 2009 > kohi at vm1[1]% /usr/bin/su > Password: > vm1# /proj/unbound-1.1.1/sbin/unbound -d -v > [1231229999] unbound[28416:0] notice: Start of unbound 1.1.1. > [1231229999] unbound[28416:0] notice: init module 0: validator > [1231229999] unbound[28416:0] notice: init module 1: iterator > [1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time and pid > [1231229999] unbound[28416:0] info: start of service (unbound 1.1.1). > [1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN> > [1231230026] unbound[28416:0] info: priming . IN NS > [1231230026] unbound[28416:0] info: response for <. NS IN> > [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53 > [1231230026] unbound[28416:0] info: query response was ANSWER > [1231230026] unbound[28416:0] info: priming successful for <. NS IN> > [1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN> > [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53 > [1231230026] unbound[28416:0] info: query response was ANSWER > [1231230026] unbound[28416:0] info: prime trust anchor > [1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN> > [1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN> > [1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53 > [1231230026] unbound[28416:0] info: query response was ANSWER > [1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY): sec_status_secure > [1231230026] unbound[28416:0] info: Successfully primed trust anchor <example.jp. DNSKEY IN> > [1231230026] unbound[28416:0] info: Validate: message contains bad rrsets > [1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN> > [1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN> > [1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53 > [1231230037] unbound[28416:0] info: query response was ANSWER > [1231230037] unbound[28416:0] info: validate(positive): sec_status_secure > [1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN> > ^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1). > [1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions > [1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 > [1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out > [1231230041] unbound[28416:0] info: average recursion processing time 0.001426 sec > [1231230041] unbound[28416:0] info: histogram of recursion processing times > [1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0 > [1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions > [1231230041] unbound[28416:0] info: 0.000512 0.001024 1 > [1231230041] unbound[28416:0] info: 0.002048 0.004096 1 > vm1# exit > exit > kohi at vm1[2]% exit > > Script done on Tue Jan 6 17:20:45 2009 > -------------------------------------------------- > > # unbound.conf: > > server: > do-ip6: no > chroot: /proj/unbound > root-hints: fake-root > username: bind > logfile: "" > pidfile: /var/run/unbound.pid > # trust-anchor-file: trust-anchor/dsset-example.jp. > # trust-anchor-file: trust-anchor/keyset-example.jp. > trusted-keys-file: trusted-keys/example.jp > > remote-control: > control-enable: yes > -------------------------------------------------- > > > If any other information is required, please let me known. > > Don't ask the reason why I wish to use HINFO today :-p > > Thanks in advance. > > Koh-ichi Ito > Internet Research Institute, Inc. > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkljSOwACgkQkDLqNwOhpPhBTgCZAQK3GYejx9fbQrFJtxFpheUZ riAAnjMswKq0CxcBOXaUqh3gNPkF0/rH =SiKb -----END PGP SIGNATURE-----