Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Bernhard Schmidt
Wed Mar 31 14:28:51 CEST 2010


Hi everyone,

I have a really weird occasional DNSSEC validation error with the DENIC 
DNSSEC testbed.

My private server, running Debian testing, Unbound 1.4.3-1, libldns1 
1.6.4-4, amd64 platform. Used to be the same on Unbound 1.4.0 with ldns 
1.6.0, I haven't tested earlier versions. Configuration:

server:
	verbosity: 1
	extended-statistics: yes
	interface-automatic: yes
	dlv-anchor-file: "dlv.isc.org.key"
	trust-anchor-file: "trust-anchor.key"
	val-log-level: 1
remote-control:
	control-enable: yes
stub-zone:
         name: "de"
	stub-addr: 81.91.161.228	# auth-fra.dnssec.denic.de
	stub-addr: 2A02:568:0:1::53
	stub-addr: 87.233.175.25	# auth-ams.dnssec.denic.de
	stub-prime: no

trust-anchor.key is the one from
https://www.secure.denic.de/fileadmin/Domains/DNSSEC/de-trust-anchor.txt .

It occasionally happens after about one to two weeks of uptime that I 
cannot query any .de domain anymore. All of the sudden the log is full 
of validation errors

Mar 30 16:29:40 svr01 unbound: [1315:0] info: validation failure 
<ecm1._domainkey.newsletter.postbank.de. TXT IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<postbank.de. NS IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<bounce.newsletter.postbank.de. MX IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<bounce.newsletter.postbank.de. A IN>

(for all domains in .de). Usually I just restart unbound and the problem 
goes away. This time I wanted to collect additional information and did 
not restart the daemon, but the problem went away on its own.

Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure 
<svr02.teleport-iabg.de. A IN>
Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure 
<svr02.teleport-iabg.de. AAAA IN>

and nothing more. Occasionally I also have messages like

Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust 
anchor -- DNSKEY rrset is not secure <de. DNSKEY IN>
Mar 30 21:06:10 svr01 last message repeated 2 times
Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust 
anchor -- could not fetch DNSKEY rrset <de. DNSKEY IN>
Mar 30 21:06:10 svr01 last message repeated 2 times

The process has been running untouched since March 21st.

I raised this on the DENIC ml. Peter Koch told me that he sees queries 
from my IP address without the OPT-RR (so no EDNS and no DO) during that 
timeframe. Which would of course mean that Unbound would not get any 
DNSSEC records, so complaining is a good plan indeed.

Has anyone seen this behaviour before? Is there any particular debug 
command you want me to run the next time this happens? I am running 
multiple unbound installations, all of them with DLV, some of them with 
IANA ITAR, but this is the only one running the signed .de zone.

Best Regards,
Bernhard