Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Roy Arends
Wed Mar 31 17:17:14 CEST 2010


On Mar 31, 2010, at 1:28 PM, Bernhard Schmidt wrote:

> Hi everyone,
> 
> I have a really weird occasional DNSSEC validation error with the DENIC DNSSEC testbed.
> 
> My private server, running Debian testing, Unbound 1.4.3-1, libldns1 1.6.4-4, amd64 platform. Used to be the same on Unbound 1.4.0 with ldns 1.6.0, I haven't tested earlier versions. Configuration:
> 
> server:
> 	verbosity: 1
> 	extended-statistics: yes
> 	interface-automatic: yes
> 	dlv-anchor-file: "dlv.isc.org.key"
> 	trust-anchor-file: "trust-anchor.key"
> 	val-log-level: 1
> remote-control:
> 	control-enable: yes
> stub-zone:
>        name: "de"
> 	stub-addr: 81.91.161.228	# auth-fra.dnssec.denic.de
> 	stub-addr: 2A02:568:0:1::53
> 	stub-addr: 87.233.175.25	# auth-ams.dnssec.denic.de
> 	stub-prime: no

That server (81.91.161.228/87.233.175.25) will tell you that the actual nameservers for .de are [cls].de.net. and [afz].nic.de. Subsequently, the resolver asks one of these servers for an answer, and gets an unsigned delegation. Hence the validation failure.

This is how it worked in the java version of unbound.

Roy




> 
> trust-anchor.key is the one from
> https://www.secure.denic.de/fileadmin/Domains/DNSSEC/de-trust-anchor.txt .
> 
> It occasionally happens after about one to two weeks of uptime that I cannot query any .de domain anymore. All of the sudden the log is full of validation errors
> 
> Mar 30 16:29:40 svr01 unbound: [1315:0] info: validation failure <ecm1._domainkey.newsletter.postbank.de. TXT IN>
> Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure <postbank.de. NS IN>
> Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure <bounce.newsletter.postbank.de. MX IN>
> Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure <bounce.newsletter.postbank.de. A IN>
> 
> (for all domains in .de). Usually I just restart unbound and the problem goes away. This time I wanted to collect additional information and did not restart the daemon, but the problem went away on its own.
> 
> Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure <svr02.teleport-iabg.de. A IN>
> Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure <svr02.teleport-iabg.de. AAAA IN>
> 
> and nothing more. Occasionally I also have messages like
> 
> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
> 
> The process has been running untouched since March 21st.
> 
> I raised this on the DENIC ml. Peter Koch told me that he sees queries from my IP address without the OPT-RR (so no EDNS and no DO) during that timeframe. Which would of course mean that Unbound would not get any DNSSEC records, so complaining is a good plan indeed.
> 
> Has anyone seen this behaviour before? Is there any particular debug command you want me to run the next time this happens? I am running multiple unbound installations, all of them with DLV, some of them with IANA ITAR, but this is the only one running the signed .de zone.
> 
> Best Regards,
> Bernhard
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>