Maintained by: NLnet Labs

[Unbound-users] Strange validation results when using .de testbed

Hauke Lampe
Mon Oct 11 08:14:44 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11.10.2010 07:27, Paul Wouters wrote:
> On Mon, 11 Oct 2010, Hauke Lampe wrote:

> Works fine for my unbound (1.4.5rc1) with testbed config:
> 
> $ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com

That is odd. Right now, it works on my resolver and DNS-OARC's, too.

I still can reproduce it with unbound-host, though:

| # unbound-host -C unbound-testbed.conf -t a -v home.dyndns.hauke-lampe.de
| home.dyndns.hauke-lampe.de has address 213.39.216.235 (insecure)
| # unbound-host -C unbound-notestbed.conf -t a -v
home.dyndns.hauke-lampe.de
| home.dyndns.hauke-lampe.de has address 213.39.216.235 (secure)

Here's my sample config:
https://www.hauke-lampe.de/temp/unbound-host-config.tgz

In the testbed case, unbound does not even query for the subdomain DS:

| info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
| info: DS RRset <hauke-lampe.de. DS IN>
Shouldn't that say dyndns.hauke-lampe.de above?
| debug: Process cached DS response
| debug: nsec3: keysize 1032 bits, max iterations 500
| info: ce candidate <de. TYPE0 CLASS0>
| info: NSEC3s for the referral proved no DS.
| debug: val handle processing q with state VAL_VALIDATE_STATE
| info: Verified that response is INSECURE

Unbound seems to use the NSEC3s from .de to decide that there's no DS
for dyndns.hauke-lampe.de. If I just remove the DNSKEY for .de, Unbound
tries to validate them and then goes ahead and fetches the DS record:

| info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
| info: DS RRset <hauke-lampe.de. DS IN>
| debug: Process cached DS response
| info: verify rrset <3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. NSEC3 IN>
| debug: verify sig 56760 8
| debug: verify: could not find appropriate key
| debug: rrset failed to verify: no valid signatures for 1 algorithms
| debug: verify result: sec_status_bogus
| debug: NSEC3 did not verify
| info: NSEC3s for the referral did not prove no DS.
| debug: blacklist add: cache
| debug: val handle processing q with state VAL_FINDKEY_STATE
| info: validator: FindKey <home.dyndns.hauke-lampe.de. A IN>
| info: current keyname <hauke-lampe.de. DNSKEY IN>
| info: target keyname <dyndns.hauke-lampe.de. DNSKEY IN>
| debug: striplab 0
| info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
| info: DS RRset <hauke-lampe.de. DS IN>
| info: generate request <dyndns.hauke-lampe.de. DS IN>


Hauke.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyyq04ACgkQKIgAG9lfHFNNZACfdwlUVX/ogKf4t7z94L9bTyu1
IIMAoL9Mqo959iLttrTGr7veVmrCPPsy
=96gI
-----END PGP SIGNATURE-----