Maintained by: NLnet Labs

[Unbound-users] Strange validation results when using .de testbed

Hauke Lampe
Mon Oct 11 00:54:11 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi Wouter.

After adding trust-anchors and stub-zone configuration for the .de
DNSSEC testbed, I get strange validation results, where Unbound reports
secured subdomains as insecure.

The parent domain is validated by DLV and reported secure. Disabling the
.de stub zone configuration fixes it.

I use DENIC's configuration example:
http://www.denic.de/fileadmin/Domains/DNSSEC/dnssec-testbed-muster-unbound.txt

Queries and AD flags:

home.dyndns.hauke-lampe.de. A -> insecure
dyndns.hauke-lampe.de. SOA -> insecure
hauke-lampe.de. SOA -> secure
dyndns.hauke-lampe.de. DS -> answer contains NSEC3 records from .de TLD

Full unbound-host debug log is here:
https://www.hauke-lampe.de/temp/unbound-host.log

I get the same results from DNS-OARC's resolvers
(https://www.dns-oarc.net/oarc/services/odvr):

dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.21  # Unbound

> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> [...]
> ;; AUTHORITY SECTION:
> 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN NSEC3 1 1 31 DE15C001 3K846UFP2SLUUNEP0UF07IVM5BPUMPL4 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
> 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. eEDMwH1c4elJ4csdfOZ4GhAO8bkkYSp6EtMUDIflOjgJokILvywCzElD CoiTi2UG+oEalXQCEQHy/qQFkEagf9rPzxdRIOCmhTcW+1x0pyzZ9Zzx lZ+n+YqPmS4+4F/VtI0wWAjW5R1edzyG7+2voFH6pG8zL970/cQHWBUG dyY=
> RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN NSEC3 1 1 31 DE15C001 RHES27TM53S8ER72SCDPTNNP0GCMOBO6 A RRSIG
> RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. RlTGZTuUujNcTv84YJ4o/QRx7+YpS8WdtehL7GUhItgKHidZSYIppUig 9TzWORfzw4BI5/MM5ZtiCCk/VL7P7K9mNiYiHfOxWvqVdBKNyI54BYFn s7PFbzR4ccdQAsj477arR6CtKmT7+jVEZy7xlIjFi6td1AugQY+jvJsl jH0=
> de.			5819	IN	SOA	f.nic.de. its.denic.de. 2010101061 7200 7200 3600000 7200
> de.			5819	IN	RRSIG	SOA 8 1 86400 20101017120000 20101010120000 56760 de. la/O+y6AySh+rWNidx8ORLLylODcSp4gPMhcAp9sdHeWFNuK2XNDV8qH VYKbUPxbQqFH68xcgGqCktyCKB2cxpe6kd1gUY7AySjAa9FTeejP9atO AJ+Y39KaVxOsjPJ2P9LY9qHKeudWHRMRzi3hZWs++APUSpypy5gn3rM+ 6qo=

dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.20  # BIND

> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
[...]
> ;; ANSWER SECTION:
> dyndns.hauke-lampe.de.	229612	IN	DS	38679 10 1 363FC90815032BB941808CD73C1D21AB3F3D6D3E
> dyndns.hauke-lampe.de.	229612	IN	DS	38679 10 2 B06ABE78F499F24CE9AC64BEFE6D9A3F2B101168867DF8B849F0800F 59F2CDF4
> dyndns.hauke-lampe.de.	229612	IN	RRSIG	DS 5 3 230042 20101021092305 20101007092305 20073 hauke-lampe.de. AQGIjBFH3xaXkUTGYo9yUHbva8GGWhasyQOv50CVNuzFJUOQrL05vtyH C2W7e7eSUFkvOm7dqaIkkBsV/+WFJAUXPcNqT9mJGpTiXuSLXRJmv8k2 h4dnv4FT82YMP+kvNoF0QRRb7xp5trHsUvPX0uhzfbL8sCJwz31csDfq RT2E
> dyndns.hauke-lampe.de.	229612	IN	RRSIG	DS 5 3 230042 20101021092305 20101007092305 26427 hauke-lampe.de. ARqKo559ueoZT80eRvjauYL95mGjsc+WsJL/MLZxuHDG3jPFEjYrctac fhcKu/xVKhzT3mnxFgtBoHwcw45NIyXjfVn54FQk2mdFcJ/VW/n+xbVB Uyb+X078GeirOPDq1QFeFezADaBlgJDeg7v+wmyg0Vrmt6uFJ8kcpGxG 8TLB


Hauke.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyyRA0ACgkQKIgAG9lfHFPFyACguIEWrc0QNf6o5hwKUUF8KTGA
BykAnRu3OXe3X+dTJoWjNheoV1PUPGTH
=HiTa
-----END PGP SIGNATURE-----