Maintained by: NLnet Labs

[Unbound-users] wpbeginner.com

W.C.A. Wijngaards
Mon Jul 20 14:05:17 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sven,

Because it is misconfigured and unbounds security policy.

If you ask .com servers for wpbeginner.com
it gives a delegation to:
wpbeginner.com. 172800  IN      NS      ns1.uzzz.net.
wpbeginner.com. 172800  IN      NS      ns2.uzzz.net.
ns1.uzzz.net.	172800	IN	A	74.52.155.18
ns2.uzzz.net.	172800	IN	A	74.52.155.19

Unbound however, does not believe the ns1.uzzz.net addresses
from here because of security policy.  (Otherwise cache
poisoning is going to happen).  It decides to check up
on things.

It asks for ns1.uzzz.net to the .net servers that give
this delegation:
uzzz.net.	172800	IN	NS	ns1.uzzz.net.
uzzz.net.	172800	IN	NS	ns2.uzzz.net.
ns1.uzzz.net.	172800	IN	A	74.52.155.18
ns2.uzzz.net.	172800	IN	A	74.52.155.19

This time, having asked the .net servers, unbound believes
the addresses, but the security policy is to check even further.
Unbound asks uzzz.net nameservers for ns1.uzzz.net.

As you can see in the dig sample below, it gets a reply
with a different address for ns1.uzzz.net.

$ dig @74.52.155.18 ns1.uzzz.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns1.uzzz.net.			IN	A
;; ANSWER SECTION:
ns1.uzzz.net.		14400	IN	A	72.249.16.25
;; AUTHORITY SECTION:
uzzz.net.		86400	IN	NS ns712.websitewelcome.com.
uzzz.net.		86400	IN	NS ns711.websitewelcome.com.
;; ADDITIONAL SECTION:
ns712.websitewelcome.com. 130930 IN	A	74.52.155.19

So, it finds out that the real address of ns1.uzzz.net is 72.249.16.25!
Because the uzzz.net server says so and is authoritative for the data.

Unbound then asks 72.249.16.25 for wpbeginner.com.

$ dig @72.249.16.25 wpbeginner.com
;; connection timed out; no servers could be reached

The same story for ns2.uzzz.net, the server does not respond to queries.


So, I would like to be able to provide the correct answer to
users who want to connect to wpbeginner.com ; unbound
tries to fetch the most authoritative response for it, but that
address will not answer.

All that said, if you really want to resolve this, the
option   harden-glue: no   does that.  (And allows cache
poisoning!).

The best solution is to have wpbeginner.com publish correct
information to the verisign servers, and/or run a nameserver
on the address 72.249.16.25.

Thank you for reporting the non-working address.

Best regards,
   Wouter


On 07/20/2009 12:46 PM, Sven Juergensen wrote:
> Hi list,
> 
> any idea why wpbeginner.com can't be resolved
> using unbound 1.3.1?
> 
> Thanks for any input.
> 
> Best regards,
> 
>     Sven Juergensen
> 
> dig any wpbeginner.com @89.27.130.35
> 
> ; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @89.27.130.35
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;wpbeginner.com.            IN    ANY
> 
> ;; Query time: 2877 msec
> ;; SERVER: 89.27.130.35#53(89.27.130.35)
> ;; WHEN: Mon Jul 20 12:42:47 2009
> ;; MSG SIZE  rcvd: 32
> 
> 
> Mit freundlichen Gruessen,
> 
>     i. A. Sven Juergensen
> 
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpkXX0ACgkQkDLqNwOhpPiYdACgiFngk5bjZfF5Blh2HUx/Yp2o
Vi4AnAzhdnsvuWxXw53wzCexA66kxIMF
=nqNw
-----END PGP SIGNATURE-----