Maintained by: NLnet Labs

[Unbound-users] Unbound stop working without error-log

W.C.A. Wijngaards
Wed Nov 3 09:42:30 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

On 11/03/2010 09:07 AM, lst_hoe02 at kwsoft.de wrote:
> It seems more that unbound and bind disagree in their opinion if the
> signature is expired or not. As said the time unbound starts failing the
> same queries done directly to the upstream resolve *and* validate fine.
> So the options are:

That is strange.  Your clocks are synchronised, so that is not it.
Could it have been the recent daylight-savings change somehow?

Both bind and unbound may have some leeway for expired signatures that
you can configure; val-sig-skew-max and val-sig-skew-min config options
for unbound.

> - Bind does not send the same data it is using for validation to the
> downtsream (unbound) client. Would be a Bind bug i guess.

Try doing a dig @<bind> name +dnssec and then with +dnssec +cdflag.  If
that is different, then this is happening.

> - Unbound and Bind do validation different (should not happen IMHO)

Yes.

> - Validation in Unbound for some cases is broken. Would be a bug in
> Unbound i guess.

Well, when unbound refuses to validate it, enable val-log-level: 2, and
take a look in the log file, it gives a detailed error.  Then dig
+dnssec and dig +dnssec +cdflag when it mentions (also to the unbound so
see what is in the cache, and also at the IP address it mentions).

If you enable val-log-level: 2 (and you can have verbosity low), it
gives one line per validation failure.  This is a (relatively) low
amount of logging, but very useful, as it tells you why exactly unbound
failed the query.

> It would be nice to get help how to debug this as DNSSEC "by-hand" is
> somewhat challenging.

This is pretty easy, the RRSIG notes ....
	RRSIG bla bla  expiration   inception   bla bla.
They are in yyyymmddhhmmss format UTC.

Most signers leave a couple weeks headroom in the expiration date.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzRIHYACgkQkDLqNwOhpPikxwCfZg1tMO8eQY4UJDv5ZquCd+sY
MkEAnR58F9ps9gV6rUpCsh7w32iFhM0B
=+/RQ
-----END PGP SIGNATURE-----