Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

W.C.A. Wijngaards
Fri Sep 4 09:23:16 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

The problem is this:

souissi.net.		86400	IN	NS	ns1.souissi.net.
souissi.net.		86400	IN	NS	ns-slave.free.org.

With IP addresses:
ns1.souissi.net.	86400	IN	A	91.121.163.99
ns1.souissi.net.	86400	IN	AAAA 2001:41d0:1:e463:dead:beef:face:1
ns-slave.free.org.	28756	IN	A	88.191.249.137
(no AAAA for it).

For 91.121.163.99 and dead-beaf-face, I get a dnssec answer.
But the free.org server gives a dnssec-less answer.

The problem is that unbound does not expect DNSSEC for souissi.net
because it has not checked the DLV yet, and thus accepts the free.org
answer (1 out of 3 times it picks that IP address).

Then it becomes bogus.  This lasts one minute (bogus-ttl: 60), and
then it tries again.  After a couple of minutes of 1/3 fail and
2/3 success, it has the 24hour TTL for the valid answer.

So once in a very long while you see that servfail.

It is because of the misconfigured slave at free.org of course.

But I am thinking how to make this easier on other people that
aren't as smart as you are to figure this out.   Or to make unbound
smarter so it won't get into this trouble.  I don't know.

Best regards,
   Wouter

On 09/04/2009 08:42 AM, Stephane Bortzmeyer wrote:
> On Thu, Aug 27, 2009 at 11:08:31AM +0200,
>  W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote 
>  a message of 46 lines which said:
> 
>> Can you give me more details?
> ...
>> Can you give the output of the query +cdflag (what was the
>> data that failed?)
> 
> OK, since the problem occured again this morning (SOA souissi.net
> fails, SOA sources.org works), here is the full disclosure (do note
> that SERVFAIL depends on the QTYPE, not only the QNAME):
> 
> 
> % dig +dnssec MX souissi.net
> 
> ; <<>> DiG 9.5.1-P3 <<>> +dnssec MX souissi.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64634
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;souissi.net.			IN	MX
> 
> ;; ANSWER SECTION:
> souissi.net.		86400	IN	MX	10 mx1.souissi.net.
> souissi.net.		86400	IN	MX	20 mylar.selfns.net.
> souissi.net.		86400	IN	RRSIG	MX 5 2 86400 20091001060200 20090901060200 8850 souissi.net. he5nHZ9ZdSkmZAreeyZ3mqob1VP6wy/BCYGgeImDrwDRg9HaDyUdjDCt rX0UGFMPtETtpULEKNVYTmVQd30r//l+TBLWbElNdsAq/qW4OIbmbgfT vLTFeAJsfwlEQ3Ch2/NwmCQjdTd0DkMlva+hCtJ3MeQurjTamfuSWuku U5Y=
> 
> ;; AUTHORITY SECTION:
> souissi.net.		86400	IN	NS	ns-slave.free.org.
> souissi.net.		86400	IN	NS	ns1.souissi.net.
> souissi.net.		86400	IN	RRSIG	NS 5 2 86400 20091001060200 20090901060200 8850 souissi.net. BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28=
> 
> ;; ADDITIONAL SECTION:
> mx1.souissi.net.	86400	IN	A	91.121.163.99
> mx1.souissi.net.	86400	IN	AAAA	2001:41d0:1:e463:dead:beef:face:1
> ns1.souissi.net.	86400	IN	A	91.121.163.99
> ns1.souissi.net.	86400	IN	AAAA	2001:41d0:1:e463:dead:beef:face:1
> mx1.souissi.net.	86400	IN	RRSIG	A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. TVNYVYAhwSQasJaQT/DW3UdZ+7kn/w2HqUvw9mXa6c58F8RBqoKOgAGF zO8ZR8i9Dc1I3qFXgXUojP3MTML+6ItHtK+ktKVCYJ/fHfXObauP68X8 bFjE+bMKl71bcI07e206/Gfuqrw5CM46vhUL8sAKipad4G1MPh+cL+Yd wkw=
> mx1.souissi.net.	86400	IN	RRSIG	AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. cUZvufe1UYszNAIS78GLrUZxa4N6XMA0YDJsXneCERw7McWyIOic21+7 DGIkd8Cth4F/tz/C6QjjGlULLz+Z/t/nV/uH9HdCdXInb9V8m/K6tId4 Nk04lp0MzhYjCQK7gvnZaTeXpfceLZNsIkqqPJiJeCGYx3nUcYMy3x0N czI=
> ns1.souissi.net.	86400	IN	RRSIG	A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4=
> ns1.souissi.net.	86400	IN	RRSIG	AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0=
> 
> ;; Query time: 8 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:39:31 2009
> ;; MSG SIZE  rcvd: 1252
> 
> 
> 
> 
> % dig +dnssec SOA souissi.net
> 
> ; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA souissi.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17478
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;souissi.net.			IN	SOA
> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:40:21 2009
> ;; MSG SIZE  rcvd: 40
> 
> 
> % dig +dnssec SOA sources.org
> 
> ; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA sources.org
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22082
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;sources.org.			IN	SOA
> 
> ;; ANSWER SECTION:
> sources.org.		86400	IN	SOA	ns3.bortzmeyer.org. hostmaster.bortzmeyer.org. 2009090100 7200 3600 604800 43200
> sources.org.		86400	IN	RRSIG	SOA 3 2 86400 20091102035202 20090901035202 14347 sources.org. CIE1J9Im49PJBYPZQyV6Nrk/B0i0MZQi9SehcF7R+agqz9UJRzReLwI=
> sources.org.		86400	IN	RRSIG	SOA 5 2 86400 20091102035202 20090901035202 22107 sources.org. j2M7O6urcyXrj/WDhgdR1m9CbTOhEGLNtL5hYs7PHTghblln+yYclnQw KQmdZAYKLm2XFsrYiYSHVAc3i6jAVMb4rDE30R1Ckk3OC7cTTYEslqei RYzrpscfyt5cS6BRZz4feY1wEy3uJ1qaPSKZ8x0iUkVUXM63rGFxie4V J6vwPGnp5ToeP6Ewkyp22Q71ckIGcPKUkmdZD7o2RX2BEoitJUmj2LAD XY/mA4tbgTdm23WFmuW9zAY+2WiYjlCJKKf2TEb2XA0GnZYx0m9RSOuj pu7aCWKZo+Rf1Z5favipVJ9Jt2IkOpSCTBjy8PDYOyT8XbnMCmRj2Lo1 cvezNg==
> 
> ;; AUTHORITY SECTION:
> sources.org.		86400	IN	NS	ns4.generic-nic.net.
> sources.org.		86400	IN	NS	munzer.bortzmeyer.org.
> sources.org.		86400	IN	NS	ns3.bortzmeyer.org.
> sources.org.		86400	IN	NS	munzer.ipv6.bortzmeyer.org.
> sources.org.		86400	IN	NS	ns6.gandi.net.
> sources.org.		86400	IN	RRSIG	NS 3 2 86400 20091102035202 20090901035202 14347 sources.org. CKHF2HzIBvqloe0oSj/CX+ZsESq3B35PMPwNJQP9YM8JpTRVToBQ5Cw=
> sources.org.		86400	IN	RRSIG	NS 5 2 86400 20091102035202 20090901035202 22107 sources.org. MWXlsrOpRA6V+dt4YYn/tlDtcJtKkgnv+ezi9OR2ZupgDvHVLE6yKy99 Ze8oWrM8bIRH0C6PynqC/yYuVSVUzMxYiKvDFca6GIyhNd6IS9+AghfY b2AYPb3wCv/sgATDUNnSQl4yQENXU6N4E2VIsucELFSBwiI1Q3fzDMK5 uX+DMvJk9sAJ1JAGLvwlxpzsdKA3C32scYJBxiTJNqHY6K4cBompHTgi L3oWnUh6/aECWBd39WUDgAvjgHiSIX1k4aw9XpUV8RoHidCvbwcufsTt xzhF1C9pIO+eZCf0xWoHb16jMGfWmgVIdL/PkU3k5bcNmEGoYQSFeTZv cmsMFQ==
> 
> ;; Query time: 6 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:41:09 2009
> ;; MSG SIZE  rcvd: 986
> 
> 
> % dig +cd +dnssec SOA souissi.net
> 
> ; <<>> DiG 9.5.1-P3 <<>> +cd +dnssec SOA souissi.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60400
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;souissi.net.			IN	SOA
> 
> ;; ANSWER SECTION:
> souissi.net.		86025	IN	SOA	ns1.souissi.net. hostmaster.souissi.net. 2009090101 3600 900 3600000 900
> 
> ;; AUTHORITY SECTION:
> souissi.net.		86291	IN	NS	ns-slave.free.org.
> souissi.net.		86291	IN	NS	ns1.souissi.net.
> souissi.net.		86291	IN	RRSIG	NS 5 2 86400 20091001060200 20090901060200 8850 souissi.net. BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28=
> 
> ;; ADDITIONAL SECTION:
> ns1.souissi.net.	86000	IN	A	91.121.163.99
> ns1.souissi.net.	86000	IN	AAAA	2001:41d0:1:e463:dead:beef:face:1
> ns1.souissi.net.	86000	IN	RRSIG	A 5 3 86400 20091001060200 20090901060200 8850 souissi.net. OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4=
> ns1.souissi.net.	86000	IN	RRSIG	AAAA 5 3 86400 20091001060200 20090901060200 8850 souissi.net. WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0=
> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:41:20 2009
> ;; MSG SIZE  rcvd: 693
> 
> 
> 
> % dig DNSKEY souissi.net 
> 
> ; <<>> DiG 9.5.1-P3 <<>> DNSKEY souissi.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50673
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;souissi.net.			IN	DNSKEY
> 
> ;; ANSWER SECTION:
> souissi.net.		85955	IN	DNSKEY	257 3 5 AwEAAbiXOW26EYYHFx/ydGzDW4+ixz5xoWF9ANdmZT6+3bMBlWskh2GZ KPKhlgH0YAtpcNG4/9kH+e7yfEUiX15Tc3zMk+WYKllMiqGvKr6KSz+p RQlUegflFJwDnBfXWlKqyoPXn2szhSGMBNcIrX2W5KucoMQUQesrjjtE XGMPVVqEL5YkX3Qk4OxXWdou/9d/R3nVfQTyQadgOl8q5StAPgQsR+wJ 6B0H5PyziiRAtjsnFJYH+yQiD1SFw5MuZBoVTtblrAY7wo4Boqh6IiCj qvGk9/RNK6AcEbcs4tDvoCZxcRZFBCeHCnzgdlk5f8u6wN+Fs6bIVO76 +wuOos+OPnCO1ndsaO5j5KPRC/ChWiKTZ9gy3Sia1hO/qSjOi/w16VW6 ES/pQrv9QokTGTLuL6HatXkMWoyX6E+dj2rimKEnNmXKUK7otglLSoCW +ca0+OAVrupRYWsn4UwO5UprnFMo2gLz69jKVx/gIh7hgSBLKJFO8omT LLDVOKaOHzsVulfp/Qs8b8x8TqU4ncteyx1MPxJCUo6DiIFnnGkD7RSC S7Bk7izWdMCzlpCWLekPMwihx9UW4hqwjQ6L6wFiiJulC4eZP+jODQ/8 BC/Vr7Q+XyBhGh7K4kkbPOVk1hCJNglhxQ7Q/3hWGuZVrYUqOX7s2Zhl EPMLgQqafoX7rAyd
> souissi.net.		85955	IN	DNSKEY	256 3 5 AwEAAcJcU4Ih5IkoLhNLC6mq902qVagsh8IEKyfqQE5/ngZkL0r+NAww RiJdSO2muPkk0qQsD+duziDon7Mz1E/EBuetI8ZE/zdmowu9outSTfRN lYvxNoQTSVZ0w8Ct3/qeNG1qpXr9nERqMz663tI9BKc866K5ajj0eI0v YXqkpptp
> 
> ;; Query time: 1 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:42:05 2009
> ;; MSG SIZE  rcvd: 720
> 
> 
> 
> % dig ANY souissi.net.dlv.isc.org
> 
> ; <<>> DiG 9.5.1-P3 <<>> ANY souissi.net.dlv.isc.org
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50301
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 6, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;souissi.net.dlv.isc.org.	IN	ANY
> 
> ;; ANSWER SECTION:
> souissi.net.dlv.isc.org. 3600	IN	NSEC	stormrevel.net.dlv.isc.org. RRSIG NSEC DLV
> souissi.net.dlv.isc.org. 3600	IN	RRSIG	NSEC 5 5 3600 20091004051505 20090904051505 64263 dlv.isc.org. R/6wE7ZXOJrSf2iIUidk4ZeZ8g5WOzZGUpl2cI/rWNHn2mAyR8AfSYFY 29qtCEnfed923cVkdVFuJarZEB9IHtgD8S7UQBMloElfy51Q4RDl6IFJ cH4Y/34InJ33w7/IuuOxtH8xQZTWEXeJTIpCeitddmo4X/B1GaH1x2Cz VaE=
> souissi.net.dlv.isc.org. 3600	IN	DLV	28198 5 1 C6C7D20861D7E03915012AFAD74F20F17F212964
> souissi.net.dlv.isc.org. 3600	IN	DLV	28198 5 2 3C54CCD5EE584519C4A5CF47BFAF359B0C06B4261965A265F8A28AF4 259B1184
> souissi.net.dlv.isc.org. 3600	IN	RRSIG	DLV 5 5 3600 20091004051505 20090904051505 64263 dlv.isc.org. oNhnBAQRgMi5mggt7Rhhts+AZFdANZUcDx010KoHxw3txcNjOeB2EJoN 9q+16FvkezefeiMlBwzx4IHs4q7D+XsvFmmmgtybYNRNHVR+Xw+GP2Ee wTsJlzBF7ggmO8VF+Upn5XhdtHI2ggdZBNLkZHfd3XFnT8hCf/d6UGI4 wRI=
> 
> ;; AUTHORITY SECTION:
> dlv.isc.org.		3600	IN	NS	ns1.isc.ultradns.net.
> dlv.isc.org.		3600	IN	NS	dlv.sfba.sns-pb.isc.org.
> dlv.isc.org.		3600	IN	NS	dlv.ams.sns-pb.isc.org.
> dlv.isc.org.		3600	IN	NS	dlv.ord.sns-pb.isc.org.
> dlv.isc.org.		3600	IN	NS	ns.isc.afilias-nst.info.
> dlv.isc.org.		3600	IN	NS	ns2.isc.ultradns.net.
> 
> ;; Query time: 19 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Sep  4 08:42:24 2009
> ;; MSG SIZE  rcvd: 692
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqgwGMACgkQkDLqNwOhpPiPJwCgrxqzQrTr55NWg7VFrxrak2yP
NAAAn02iZWWKk4H84MZyipBZORLNMQOY
=Zp90
-----END PGP SIGNATURE-----