Maintained by: NLnet Labs

[Unbound-users] Strange validation results when using .de testbed

W.C.A. Wijngaards
Mon Oct 11 14:26:27 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hauke,

This is a bug in unbound.  Fixed in svn trunk r2275.

It is caused not by the testbed setup for .de, but by a parent zone that
uses NSEC3-optout, then a DLV entry below it, which itself has a secure
delegation hosted on the same server.  And an oversight in the unbound
code, where the case of an island below optout nsec3 picked the nsec3
'insecure' instead of the lower island trust chain.

Best regards,
   Wouter

On 10/11/2010 08:14 AM, Hauke Lampe wrote:
> On 11.10.2010 07:27, Paul Wouters wrote:
>> On Mon, 11 Oct 2010, Hauke Lampe wrote:
> 
>> Works fine for my unbound (1.4.5rc1) with testbed config:
> 
>> $ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com
> 
> That is odd. Right now, it works on my resolver and DNS-OARC's, too.
> 
> I still can reproduce it with unbound-host, though:
> 
> | # unbound-host -C unbound-testbed.conf -t a -v home.dyndns.hauke-lampe.de
> | home.dyndns.hauke-lampe.de has address 213.39.216.235 (insecure)
> | # unbound-host -C unbound-notestbed.conf -t a -v
> home.dyndns.hauke-lampe.de
> | home.dyndns.hauke-lampe.de has address 213.39.216.235 (secure)
> 
> Here's my sample config:
> https://www.hauke-lampe.de/temp/unbound-host-config.tgz
> 
> In the testbed case, unbound does not even query for the subdomain DS:
> 
> | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
> | info: DS RRset <hauke-lampe.de. DS IN>
> Shouldn't that say dyndns.hauke-lampe.de above?
> | debug: Process cached DS response
> | debug: nsec3: keysize 1032 bits, max iterations 500
> | info: ce candidate <de. TYPE0 CLASS0>
> | info: NSEC3s for the referral proved no DS.
> | debug: val handle processing q with state VAL_VALIDATE_STATE
> | info: Verified that response is INSECURE
> 
> Unbound seems to use the NSEC3s from .de to decide that there's no DS
> for dyndns.hauke-lampe.de. If I just remove the DNSKEY for .de, Unbound
> tries to validate them and then goes ahead and fetches the DS record:
> 
> | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
> | info: DS RRset <hauke-lampe.de. DS IN>
> | debug: Process cached DS response
> | info: verify rrset <3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. NSEC3 IN>
> | debug: verify sig 56760 8
> | debug: verify: could not find appropriate key
> | debug: rrset failed to verify: no valid signatures for 1 algorithms
> | debug: verify result: sec_status_bogus
> | debug: NSEC3 did not verify
> | info: NSEC3s for the referral did not prove no DS.
> | debug: blacklist add: cache
> | debug: val handle processing q with state VAL_FINDKEY_STATE
> | info: validator: FindKey <home.dyndns.hauke-lampe.de. A IN>
> | info: current keyname <hauke-lampe.de. DNSKEY IN>
> | info: target keyname <dyndns.hauke-lampe.de. DNSKEY IN>
> | debug: striplab 0
> | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
> | info: DS RRset <hauke-lampe.de. DS IN>
> | info: generate request <dyndns.hauke-lampe.de. DS IN>
> 
> 
> Hauke.
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyzAnMACgkQkDLqNwOhpPgUEACfXMUVOu8udVn3DTcLG/G/OKGL
1h0AoJ8HVrCKYCb9yAe9gise4D8MxBob
=ZJRi
-----END PGP SIGNATURE-----