Maintained by: NLnet Labs

[Unbound-users] unbound-host ignoring expired RRSIGs?

Wouter Wijngaards
Wed Jul 29 12:51:19 CEST 2009


Hi Paul,

Can you give me the unbound-host commandline you used?

Unbound host is supposed to print (bogus security failure) for
expired rrsigs.
It only does so when -v is passed, otherwise it'll print bogus
data as output though.  Is this a user interface issue?

Best regards,
   Wouter

Paul Wouters wrote:
> 
> Hi,
> 
> I just ran into an issue where I could not resolve dnsops.biz. After some
> investigation, it seems unbound was right. The RRSIG records expired 4
> days ago.
> 
> dnsops.biz.        3600    IN    RRSIG    DNSKEY 5 2 3600 20090725124034
> 20090625124034 43287 dnsops.biz.
> SPUrR6Wb2UMt6NQTf6g6dodYvg7Rn1AfZi1eSKZqV/PVwGnYQIC1OILI
> qLjejtL/A32bfgdaSvhS2MAsM9RK33zaAba5Rho+U0m2X4X0Ua6XqrK0
> A8Hmi9lL2WsE2lhymqjWgbUAnusmgPi727yXTj9Pm2GIlEkAu2/kyJh+
> w7xjs8BCL/LzZO/bfzgiK80olvneQC+ilycxwGKg8EUCq3s2Ec1D3gon
> 3JywyTkuWbSMLaMcbf6EXze8EaVeSvlVWYSALBjDOF4gkoegtcyL+zy8
> 15KR8czTQk14GkS7z1NrZCfwoMU3bbZXrVHvzY1EHwNDdnXD0ii6FMex pVN28A==
> 
> I took me a little while to figure this out, as "unbound-host" would
> happilly return the record, without any indication of a problem, while
> the unbound daemon itself would only do so with the CD bit set.
> 
> It was even more confusing as our DNSX Resolver has the key for dnsops.biz
> loaded, and the answer unbound-host gave was "(insecure)". In fact,
> it should say it was "(expired)" or "(invalid)" or something. It is
> clearly not "just" insecure when the configuration has a DNSKEY loaded,
> which signature expired.
> 
> Anyway, it at least explains the error I was seeing for
> xelerance.dnsops.biz.
> 
> Paul
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users