Maintained by: NLnet Labs

[Unbound-users] issue with unbound 1.4.6rc1 maintainers prerelease ?

Paul Wouters
Mon Jul 19 18:13:28 CEST 2010


> Unbound 1.4.6rc1 is prereleased:
> http://unbound.net/downloads/unbound-1.4.6rc1.tar.gz
> sha1 c1434f44d5c7dd456cc5d8195d1de23429ac19b9
> sha256 77377a429a2bafda276d921de24601114efa22809b2fa149e258f8f0c35a4d38
>
> Mostly bugfixes, with this release prompted by the RFC for GOST.  GOST
> is enabled if the SSL and ldns support it.  Otherwise, unbound acts as
> if GOST is not supported (it becomes insecure).

I did a compile test. I have openssl with gost, ldns 1.5.6rc1 with gost,
and unbound with gost compiled and installed.

I had no trust anchors yet:

[root at bofh devel]# grep trust-anchor /etc/unbound/unbound.conf |grep -v "#"
[root at bofh devel]#

I am confused about this query:

[root at bofh devel]# dig +dnssec  -t ns gost.cert.ru. @localhost
; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec -t ns gost.cert.ru. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11021
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gost.cert.ru.			IN	NS

;; AUTHORITY SECTION:
cert.ru.		3242	IN	SOA	ns.cert.ru. postmaster.cert.ru. 1279506600 10800 3600 604800 3600
cert.ru.		3242	IN	RRSIG	SOA 5 2 3600 20100722023000 20100719013000 39201 cert.ru. BkEGeTqFrqOKR03Zh2ox/73Fvtb7slZUGSYauDRXCfuGrJGBBekPaVZC wz79JHaj5C0F5BOl/P2tM2nRPD4szfy7Dl65Ecnv8wLdKOx9LO0+w97H nXMWT5N1O4GsTypCi81ilGixrVfcOf+Dnz+Hnllr35a8z4dtAYVmlgX6 /iw=
cert.ru.		3242	IN	RRSIG	SOA 12 2 3600 20100722023000 20100719013000 18367 cert.ru. 7opJj1wkw4+Vub6bImpqx+ijkVv9G3Oh1ynRLjk+hATUoX/7SaxfaWIb 4ocpfOZjX6fXlnzviCphbcSbT0bj7A==
cert.ru.		3242	IN	NSEC	cobin.cert.ru. A NS SOA MX TXT RRSIG NSEC DNSKEY
cert.ru.		3242	IN	RRSIG	NSEC 5 2 3600 20100722023000 20100719013000 39201 cert.ru. UIcidDcm89nvSlfjnSa364r/RXkeNoipCKs5Jkik6KPSs1iSBlBkB7QG MkevzOCR4jFm8NQ0ip/Ry3bKcEDxfBWBRJ0Q4PKDmX4M2aIaM9SUW3mo yyqZqzM4apva6+azzGf3WT6pbj0PQcsYaoQI9kX3DxqmgT4rJ8locBGm KEI=
cert.ru.		3242	IN	RRSIG	NSEC 12 2 3600 20100722023000 20100719013000 18367 cert.ru. bHxEa6OY2S0GS18t7QmvJ8QPQBEZ81QS0NcBWLGgA8TDr3mrX2o18RDI FCwrJ3w9qlV4yhh/tlSwMN0I9winQg==
dlv.cert.ru.		3242	IN	NSEC	imap.cert.ru. NS DS RRSIG NSEC
dlv.cert.ru.		3242	IN	RRSIG	NSEC 5 3 3600 20100722023000 20100719013000 39201 cert.ru. cFkL+pVMB8PsV4NOkW/FYuI09yaox1H1yPvNRncwBemhMFWvU9dY80Wd dITEGPzYfMRgRt2pmfBZ2uu2GOHY0BzbtqkgwG4UOyyRqhbqQdS2Opot 9uM/WIIPCRTBNekwEcUY+sGh3+yYhs7cCb83nZ83YIIXFiaC2R7n52NT 1kE=
dlv.cert.ru.		3242	IN	RRSIG	NSEC 12 3 3600 20100722023000 20100719013000 18367 cert.ru. 2AJGKi8MacFuAo0n7EWwexn7Pc6rCN877+QMs76a8iDq+9VZPPoec8Js zn0TI9ta61ISt0A8UDjndK7cswpleA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 19 12:04:54 2010
;; MSG SIZE  rcvd: 975

This shows the AD bit, and I am unsure why. There is no DS record, nor a DLV record
for gost.cert.ru. And I did not configure a trust anchor for it yet.

I've attached unbound.log with verbosity:4

Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.log.gz
Type: application/x-gzip
Size: 459628 bytes
Desc: 
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100719/cdc06999/attachment-0001.bin>