Maintained by: NLnet Labs

[Unbound-users] issue with unbound 1.4.6rc1 maintainers prerelease ?

W.C.A. Wijngaards
Tue Jul 20 09:21:25 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Because you have DLV enabled and there is a DLV for cert.ru.

Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: signer is <dlv.isc.org.
TYPE0 CLASS0>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: FindKey
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset <dlv.isc.org.
NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validate(positive):
sec_status_secure
Jul 19 12:08:30 bofh unbound: [3519:1] info: validation success
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns2.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <gost.cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<ns2.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<ns.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<gost.cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru. DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: resolving <cert.ru. DNSKEY IN>

Best regards,
   Wouter

On 07/19/2010 06:13 PM, Paul Wouters wrote:
> I did a compile test. I have openssl with gost, ldns 1.5.6rc1 with gost,
> and unbound with gost compiled and installed.
> 
> I had no trust anchors yet:
> 
> [root at bofh devel]# grep trust-anchor /etc/unbound/unbound.conf |grep -v "#"
> [root at bofh devel]#
> 
> I am confused about this query:
> 
> [root at bofh devel]# dig +dnssec  -t ns gost.cert.ru. @localhost
> ; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec -t ns
> gost.cert.ru. @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11021
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1

> This shows the AD bit, and I am unsure why. There is no DS record, nor a
> DLV record
> for gost.cert.ru. And I did not configure a trust anchor for it yet.
> 
> I've attached unbound.log with verbosity:4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxFTnUACgkQkDLqNwOhpPgTXQCfcu8qxDcYAi3dKtm2P/UasQqd
OXEAnjsUQX/p7gPgFsR8XDy0PzkkERpn
=9IW5
-----END PGP SIGNATURE-----