Maintained by: NLnet Labs

[Unbound-users] Strange validation results when using .de testbed

Paul Wouters
Mon Oct 11 07:27:00 CEST 2010


On Mon, 11 Oct 2010, Hauke Lampe wrote:

> http://www.denic.de/fileadmin/Domains/DNSSEC/dnssec-testbed-muster-unbound.txt
>
> Queries and AD flags:

> dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.21  # Unbound
>
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
>> [...]
>> ;; AUTHORITY SECTION:
>> 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN NSEC3 1 1 31 DE15C001 3K846UFP2SLUUNEP0UF07IVM5BPUMPL4 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
>> 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. eEDMwH1c4elJ4csdfOZ4GhAO8bkkYSp6EtMUDIflOjgJokILvywCzElD CoiTi2UG+oEalXQCEQHy/qQFkEagf9rPzxdRIOCmhTcW+1x0pyzZ9Zzx lZ+n+YqPmS4+4F/VtI0wWAjW5R1edzyG7+2voFH6pG8zL970/cQHWBUG dyY=
>> RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN NSEC3 1 1 31 DE15C001 RHES27TM53S8ER72SCDPTNNP0GCMOBO6 A RRSIG
>> RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. RlTGZTuUujNcTv84YJ4o/QRx7+YpS8WdtehL7GUhItgKHidZSYIppUig 9TzWORfzw4BI5/MM5ZtiCCk/VL7P7K9mNiYiHfOxWvqVdBKNyI54BYFn s7PFbzR4ccdQAsj477arR6CtKmT7+jVEZy7xlIjFi6td1AugQY+jvJsl jH0=
>> de.			5819	IN	SOA	f.nic.de. its.denic.de. 2010101061 7200 7200 3600000 7200
>> de.			5819	IN	RRSIG	SOA 8 1 86400 20101017120000 20101010120000 56760 de. la/O+y6AySh+rWNidx8ORLLylODcSp4gPMhcAp9sdHeWFNuK2XNDV8qH VYKbUPxbQqFH68xcgGqCktyCKB2cxpe6kd1gUY7AySjAa9FTeejP9atO AJ+Y39KaVxOsjPJ2P9LY9qHKeudWHRMRzi3hZWs++APUSpypy5gn3rM+ 6qo=

Works fine for my unbound (1.4.5rc1) with testbed config:

$ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16054
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dyndns.hauke-lampe.de.		IN	DS

;; ANSWER SECTION:
dyndns.hauke-lampe.de.	230042	IN	DS	38679 10 1 363FC90815032BB941808CD73C1D21AB3F3D6D3E
dyndns.hauke-lampe.de.	230042	IN	DS	38679 10 2 B06ABE78F499F24CE9AC64BEFE6D9A3F2B101168867DF8B849F0800F 59F2CDF4
dyndns.hauke-lampe.de.	230042	IN	RRSIG	DS 5 3 230042 20101024234142 20101010234142 20073 hauke-lampe.de. ASD3K4SXxdKx8sWO+XkZWR/aJR+HVVq1KBBwymSaKKSi3C84/5z3Ujlf jMLKvlYfpTQPkmNwPhvxi40FNbFVN1ziCYXQ4+jbXsA+OkX9k+a1fcVR BL6G76DVQfnKLNOBeW74TyIT3xUdQuLnSRclQ04XNM+MMI93Y6OnoA/w gyBK
dyndns.hauke-lampe.de.	230042	IN	RRSIG	DS 5 3 230042 20101024234142 20101010234142 26427 hauke-lampe.de. ANwGhpCDlZ+wozXmf/hBD7Bj44U/YXB+v2CZ9ytkV3IbVNmIN5qahKJZ YyyN2be+OHkYPnjH1iBx/cTVlRsOvos4mjdfAOaSFNsK618F9H5gKjWg rxr65fKGlFmeA1Jc+KcybZWnlke4uMyn/I5nAe3KyfQ4K0LIqABWNb3Q E5Uw

;; Query time: 189 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Mon Oct 11 01:24:34 2010
;; MSG SIZE  rcvd: 484

Paul