Maintained by: NLnet Labs

[Unbound-users] [ben at cuckoo.org: .se disappeared?]

Hauke Lampe
Tue Oct 13 00:13:54 CEST 2009


Stephane Bortzmeyer wrote:

>> % dig MX se.
>>
>> ; <<>> DiG 9.5.1-P3 <<>> MX se.
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28196
> 
> The log says:
> 
[...]

> Oct 12 23:22:56 batilda unbound: [16214:0] debug: verify: signature
> mismatch
> Oct 12 23:22:56 batilda unbound: [16214:0] info: validator: response
> has failed AUTHORITY rrset: <se. SOA IN>
> Oct 12 23:22:56 batilda unbound: [16214:0] info: Validate: message
> contains bad rrsets

BIND says about the same:

| Oct 13 00:04:29 pope named[2843]:   validating @0xb50c0030: se SOA: no
valid signature found

Yet it still returns an answer without AD flag:

~$ dig +dnssec -t mx se

; <<>> DiG 9.7.0a3 <<>> +dnssec -t mx se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19619
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;se.                            IN      MX

;; AUTHORITY SECTION:
se.                     3600    IN      SOA
catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800
2419200 7200
se.                     3600    IN      RRSIG   SOA 5 1 172800
20091019014636 20091012162314 12075 se.
nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaB
PplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTl
os73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx 3aE=
[...]


dnssec-validation is enabled and se.dlv.isc.org holds DLV records for
current se DNSKEYs. It should return SERVFAIL, I think.



Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20091013/cdcf2a9a/attachment.pgp>