Maintained by: NLnet Labs

[Unbound-users] DNSSEC mismatch between Bind 9.7 and Unbound

lst_hoe02 at kwsoft.de
Fri Nov 5 16:01:35 CET 2010


Hello

today we got this one:

Nov  4 15:51:34 mailer unbound: [17795:1] info: validation failure  
<lipsofsuna.org. A IN>: DS got unsigned CNAME answer from 10.5.0.3 and  
10.5.0.3 for DS lipsofsuna.org. while building chain of trust

Unbound (127.0.0.1) point of view:

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29562
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59237
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

;; ANSWER SECTION:
lipsofsuna.org.		529	IN	CNAME	vhost.sourceforge.net.
vhost.sourceforge.net.	1214	IN	A	216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net.	61634	IN	NS	ns-1.sourceforge.com.
sourceforge.net.	61634	IN	NS	ns-1.ch3.sourceforge.com.
sourceforge.net.	61634	IN	NS	ns-2.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6632
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	DS

;; ANSWER SECTION:
lipsofsuna.org.		504	IN	CNAME	vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net.	120	IN	SOA	ns-1.ch3.sourceforge.com.  
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600




and Bind 9.7 (10.5.0.3) point of view

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

;; ANSWER SECTION:
lipsofsuna.org.		485	IN	CNAME	vhost.sourceforge.net.
vhost.sourceforge.net.	2285	IN	A	216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net.	61590	IN	NS	ns-1.sourceforge.com.
sourceforge.net.	61590	IN	NS	ns-2.ch3.sourceforge.com.
sourceforge.net.	61590	IN	NS	ns-1.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32497
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	DS

;; ANSWER SECTION:
lipsofsuna.org.		468	IN	CNAME	vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net.	84	IN	SOA	ns-1.ch3.sourceforge.com.  
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600

Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder.  
Where is the problem so unbound does not validate it?

Many Thanks

Andreas