Maintained by: NLnet Labs

[Unbound-users] DNSSEC mismatch between Bind 9.7 and Unbound

W.C.A. Wijngaards
Fri Nov 5 16:31:10 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

The trouble is that bind does not respond with the correct response to
the query for the DS.  Unbound can do nothing but fail the query.

(Thank you for the validation error line and those dig outputs, that
really helps!).

> and Bind 9.7 (10.5.0.3) point of view
> ; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
> ;; QUESTION SECTION:
> ;lipsofsuna.org.            IN    DS
> ;; ANSWER SECTION:
> lipsofsuna.org.        468    IN    CNAME    vhost.sourceforge.net.
> ;; AUTHORITY SECTION:
> sourceforge.net.    84    IN    SOA    ns-1.ch3.sourceforge.com.
> hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600
> 
> Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder.
> Where is the problem so unbound does not validate it?
> 

This response should have contained the NSEC3s and their RRSIGs that
came with the referral from .org.

It seems to be an error in Bind 9.7.  As a consolation, unbound has the
same error, which I have just fixed in svn (r2335).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzUIz4ACgkQkDLqNwOhpPhBdgCgrNxH+YIqoviZRygpmfwbVVLZ
w94AoLEGMCxj4jFkkYRYuxOc/TGC6/Aq
=fKy1
-----END PGP SIGNATURE-----