Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

W.C.A. Wijngaards
Tue Jun 30 14:24:12 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

I think the problem is the recent NSEC+RRSIG parse bug I fixed.  In the
ANY queries that is present and can lead to the problem, the bug is
triggered based on ordering in the packet, and this causes the
randomness for you.

So, it is fixed in subversion trunk and perhaps I should consider making
a bugfix release :-)

Best regards,
   Wouter

On 06/30/2009 02:14 PM, Stephane Bortzmeyer wrote:
> The zone absolight.net (signed and published in ISC DLV) puzzles
> me. Some requests SERVFAIL but not others:
> 
> % dig ANY ns1.absolight.net. 
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33316
> 
> % dig ANY ns2.absolight.net.  
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901
> ...
> ns2.absolight.net.      86245   IN      A       80.245.57.153
> 
> % dig A ns1.absolight.net.   
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13932
> ...
> ns1.absolight.net.      86400   IN      A       79.143.240.129
> 
> The problem is DNSSEC-related since, if I add +cd, it works:
> 
> % dig +cd ANY ns1.absolight.net.   
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59487
> ...
> ns1.absolight.net.      3420    IN      RRSIG   NSEC 5 3 3600 20090714212355 20090614212355 11595 absolight.net. 34zDPJjCt/H072EJd/54dydJV1xyXVMUHvyrfzrrqEBH/EX3JsqEk46Q embiOCOBUt1Rg/17LAJ96lYte556B2jjSOGH2jBkAki8X9feJNj4HIHP ULPCHsYYyw74ZFCK
> ns1.absolight.net.      3420    IN      NSEC    ns1-6.absolight.net. A AAAA RRSIG NSEC
> ns1.absolight.net.      86187   IN      AAAA    2a01:678:100:53::53
> ...
> 
> I admit I do not understand why a A requests work and not an ANY
> request.
> 
> If I restart Unbound, *other* names in the zone fail and those which
> failed now work.
> 
> BIND has no problem with this zone.
> 
> Unbound 1.2.0 and 1.3.0, Debian/Linux. All the tests have been done
> with dlv.isc.org enabled.
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpKA+sACgkQkDLqNwOhpPjB0QCeML+1tqjlsfu3MB4L3kvd+Xf3
jQMAnjVlvZUv2oU4M7kY07fXU1N8ZcuY
=Q31w
-----END PGP SIGNATURE-----