Maintained by: NLnet Labs

[Unbound-users] wpbeginner.com

Sven Juergensen
Mon Jul 20 14:37:32 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Wouter,

many thanks for the insights of unbounds
inner workings. Lets see if the person res-
ponsible for the domain feels like fixing
things.

Best regards,

Mit freundlichen Gruessen,

	i. A. Sven Juergensen

- --
Fachbereich
Netze und Rechenzentren

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 2219-053
Mobil   : 0170 403 5600
Telefax : 0431 2219-005
E-Mail  : s.juergensen at kielnet.de
Internet: http://www.kielnet.de

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)

PGP details at
http://pgp.kielnet.de/sjuergensen/

On Jul 20, 2009, at 2:05 PM, W.C.A. Wijngaards wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Sven,
>
> Because it is misconfigured and unbounds security policy.
>
> If you ask .com servers for wpbeginner.com
> it gives a delegation to:
> wpbeginner.com. 172800  IN      NS      ns1.uzzz.net.
> wpbeginner.com. 172800  IN      NS      ns2.uzzz.net.
> ns1.uzzz.net.   172800  IN      A       74.52.155.18
> ns2.uzzz.net.   172800  IN      A       74.52.155.19
>
> Unbound however, does not believe the ns1.uzzz.net addresses
> from here because of security policy.  (Otherwise cache
> poisoning is going to happen).  It decides to check up
> on things.
>
> It asks for ns1.uzzz.net to the .net servers that give
> this delegation:
> uzzz.net.       172800  IN      NS      ns1.uzzz.net.
> uzzz.net.       172800  IN      NS      ns2.uzzz.net.
> ns1.uzzz.net.   172800  IN      A       74.52.155.18
> ns2.uzzz.net.   172800  IN      A       74.52.155.19
>
> This time, having asked the .net servers, unbound believes
> the addresses, but the security policy is to check even further.
> Unbound asks uzzz.net nameservers for ns1.uzzz.net.
>
> As you can see in the dig sample below, it gets a reply
> with a different address for ns1.uzzz.net.
>
> $ dig @74.52.155.18 ns1.uzzz.net.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;ns1.uzzz.net.                  IN      A
> ;; ANSWER SECTION:
> ns1.uzzz.net.           14400   IN      A       72.249.16.25
> ;; AUTHORITY SECTION:
> uzzz.net.               86400   IN      NS ns712.websitewelcome.com.
> uzzz.net.               86400   IN      NS ns711.websitewelcome.com.
> ;; ADDITIONAL SECTION:
> ns712.websitewelcome.com. 130930 IN     A       74.52.155.19
>
> So, it finds out that the real address of ns1.uzzz.net is  
> 72.249.16.25!
> Because the uzzz.net server says so and is authoritative for the data.
>
> Unbound then asks 72.249.16.25 for wpbeginner.com.
>
> $ dig @72.249.16.25 wpbeginner.com
> ;; connection timed out; no servers could be reached
>
> The same story for ns2.uzzz.net, the server does not respond to  
> queries.
>
>
> So, I would like to be able to provide the correct answer to
> users who want to connect to wpbeginner.com ; unbound
> tries to fetch the most authoritative response for it, but that
> address will not answer.
>
> All that said, if you really want to resolve this, the
> option   harden-glue: no   does that.  (And allows cache
> poisoning!).
>
> The best solution is to have wpbeginner.com publish correct
> information to the verisign servers, and/or run a nameserver
> on the address 72.249.16.25.
>
> Thank you for reporting the non-working address.
>
> Best regards,
>   Wouter
>
>
> On 07/20/2009 12:46 PM, Sven Juergensen wrote:
>> Hi list,
>>
>> any idea why wpbeginner.com can't be resolved
>> using unbound 1.3.1?
>>
>> Thanks for any input.
>>
>> Best regards,
>>
>>    Sven Juergensen
>>
>> dig any wpbeginner.com @89.27.130.35
>>
>> ; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @89.27.130.35
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;wpbeginner.com.            IN    ANY
>>
>> ;; Query time: 2877 msec
>> ;; SERVER: 89.27.130.35#53(89.27.130.35)
>> ;; WHEN: Mon Jul 20 12:42:47 2009
>> ;; MSG SIZE  rcvd: 32
>>
>>
>> Mit freundlichen Gruessen,
>>
>>    i. A. Sven Juergensen
>>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkpkXX0ACgkQkDLqNwOhpPiYdACgiFngk5bjZfF5Blh2HUx/Yp2o
> Vi4AnAzhdnsvuWxXw53wzCexA66kxIMF
> =nqNw
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)

iEYEARECAAYFAkpkZQ0ACgkQnEU7erAt4TJhrACg1pU2uh+bsk7BFxXsbFXpfjrg
KQYAn3Ph1VOMtXG/niA78XmeacaE/81b
=+4CB
-----END PGP SIGNATURE-----