Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

Harish Chandra
Wed Jul 1 17:00:52 CEST 2009


Hi,





Without DNSSec, forwarding is working fine. With DNSSec enabled (I am
using DLV), forwarding fails when I forward my querries to a server
that isn't dnssec enabled. 

 The output from the log looks like this:



[1246456813] unbound[7919:0] info: validator operate: query <dlv.isc.org.. DNSKEY IN>

[1246456813] unbound[7919:0] debug: validator: nextmodule returned

[1246456813] unbound[7919:0] debug: not validating response due to CD bit

[1246456813] unbound[7919:0] debug: mesh_run: validator module exit state is module_finished

[1246456813] unbound[7919:0] info: validator: inform_super, sub is <dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] info: super is <mail.google.com.dlv.isc.org.. DLV IN>

[1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack of signatures

[1246456813] unbound[7919:0] debug: verify result: sec_status_bogus

[1246456813] unbound[7919:0] info: validate keys with anchor(DNSKEY): sec_status_bogus

[1246456813] unbound[7919:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass

[1246456813] unbound[7919:0] info: validator operate: query <mail.google..com.dlv.isc.org. DLV IN>

[1246456813] unbound[7919:0] debug: val handle processing q with state VAL_VALIDATE_STATE

[1246456813] unbound[7919:0] info: processValidate: state has no signer name <mail.google.com.dlv.isc.org. DLV IN>

[1246456813] unbound[7919:0] info: Could not establish validation of INSECURE status of unsigned response.

[1246456813] unbound[7919:0] debug: val handle processing q with state VAL_FINISHED_STATE



The failure appears because of a signature mismatch. But why is
validation taking place when the actual resolver can't talk dnssec? My
config file looks like this:



server:

        verbosity: 5

        interface: 0.0.0.0

        port: 53

        do-ip4: yes

        do-ip6: yes

        do-udp: yes

        do-tcp: yes

        do-daemonize: yes

        access-control: 0.0.0.0/0 allow

        chroot: /etc/unbound

        username: ""

        directory: /etc/unbound/

        use-syslog: no

        pidfile: /var/run/unbound.pid

        root-hints: /etc/unbound/named.cache

        logfile: /etc/unbound/unbound.log

        dlv-anchor-file: dlv.isc.org.key

        forward-zone: 

            name: "."

              forward-addr: 68.87.68.170   

Is this the expected behaviour? or am I missing something here? Why can't the resolution  proceed when the forwarder (unbound) can talk dnssec and the actual resolver can't? 


thanks,
Harish






      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20090701/445adb53/attachment.htm>