Maintained by: NLnet Labs

[Unbound-users] A and ANY queries give conflicted results

Paul Wouters
Tue Apr 12 23:13:43 CEST 2011


I put in an A record for "badsig.dane.xelerance.com." with the intension putting
a bad "dane TLSA" record in there. So contrary to the name, the RRSIG for "badsig" is
fine.

But unbound (1.4.8) gives me :

[paul at bofh pri]$ dig +dnssec a badsig.dane.xelerance.com.

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14663
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com.	IN	A

;; AUTHORITY SECTION:
xelerance.com.		1843	IN	SOA	ns1.xelerance.net. hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600
xelerance.com.		1843	IN	RRSIG	SOA 5 2 3600 20110505082418 20110412193207 52862 xelerance.com. AjMgXLIoxiKF96CuFAi1xIKDBOmUSj1gDUP8x6IA/dupfBfSf2IJ7vZB r1Mk9l3dSlvfGqWrKZoAkb7hBe65aVdxWPNF/haBHycteofzXBLp48C4 ur06uhu6JgFT6lK40xEYV40O+3TPOgtiMyThSdZhUxHbQT4hN826+QXu ZCk=
_443._tcp.dane.xelerance.com. 1537 IN	NSEC	_443._tcp.badsig.dane.xelerance.com. RRSIG NSEC TYPE65468
_443._tcp.dane.xelerance.com. 1537 IN	RRSIG	NSEC 5 5 3600 20110508195703 20110412150206 52862 xelerance.com. S29Q/B0lQXq5panQv0utkdluaNzHZ2bYhqjrxQDb5QBv8KOn5WpwxG+c 5ZPBJPLIM7pVcheb88VjLaybUSfDygeazrz0kucF1XW+N8mvqbGLA8bF 4NtYD/GcBAzq6zaDFkq5azPp42zLlmROyUlxbHGQr2xBOd0QL8lu7Pzt nx4=

;; Query time: 115 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Apr 12 17:03:32 2011
;; MSG SIZE  rcvd: 557

So this tells me the record does not exist. But when I do an ANY query:

[paul at bofh pri]$ dig +dnssec any badsig.dane.xelerance.com.

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec any badsig.dane.xelerance.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50885
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com.	IN	ANY

;; ANSWER SECTION:
badsig.dane.xelerance.com. 3505	IN	A	193.110.157.151
badsig.dane.xelerance.com. 3505	IN	RRSIG	A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0=
badsig.dane.xelerance.com. 3505	IN	NSEC	_443._tcp.badsig.dane.xelerance.com. A RRSIG NSEC
badsig.dane.xelerance.com. 3505	IN	RRSIG	NSEC 5 4 3600 20110507165524 20110412193207 52862 xelerance.com. MBZf648QzxlK3iGVG9rIEbMaPfHVYX3cF/NdsJpUmNAue8UyES5XqXM2 7+fvNhMhWLNfzjR0uek+H0L/KDqmsETziiV+4P7W90/kdvyk23b6E0+l F8f9o1cjbpWS6NgzdLYl3u6xE3mIedg8Zj94yUkDO7IPg8wG9DWKPrIY Lbw=

;; AUTHORITY SECTION:
xelerance.com.		1222	IN	NS	ns0.xelerance.nl.
xelerance.com.		1222	IN	NS	ns1.xelerance.net.
xelerance.com.		1222	IN	NS	ns2.xelerance.org.
xelerance.com.		1222	IN	NS	ns3.xelerance.com.
xelerance.com.		1222	IN	RRSIG	NS 5 2 3600 20110504211948 20110407132406 52862 xelerance.com. GFOJpCG0wnC65zdaKU3wBab3H9yACG84B+47jXdfGigcspDx8Ro8+qGH daQCVQLTZP92f549qA5j3JnwqmISQIUyaF7acDGY+1h65G9xyZCt7xNV X7bLPXLQbJ63OMkAYG00+tyg6tAtxLLStvOCsbVTfvUkCm5M5VhbaDJM jQE=

;; ADDITIONAL SECTION:
ns3.xelerance.com.	1222	IN	A	65.18.175.19
ns3.xelerance.com.	1222	IN	AAAA	2607:f7d0:403:1::1
ns3.xelerance.com.	1222	IN	RRSIG	A 5 3 3600 20110505112452 20110411195206 52862 xelerance.com. SidtyN0Jp51ftbmTB6U4euk/BtTiP8u3bNz6KfnYUmJCc++LPdgc0Bxa +0JCXzw0nkZUWBdBOTfuiBw+Xiz7S1Nw0FPtVdXegj/E/1VQPzaWguiA aFYRVB3tKwSc9swNGacdGmuGYmTJIT/174dfgVmSKfHzSrm15BK2O+S6 Y/I=
ns3.xelerance.com.	1222	IN	RRSIG	AAAA 5 3 3600 20110430162655 20110405051806 52862 xelerance.com. l+dlkSzDLwGYeic3azZEJijlP6CGNA9syaUj9B5UdTlsMTNU1arhO26s Dwg3PQjK/OcyXWAopjKLkbvX8+LL3+IU7H5VnRca6+EVxH/jkjqm52U/ lMJSSuCjDob31TXH9zR9bJcnA7noLFgcQQm653PZea7GwKQE1r1gxVoP KI4=

;; Query time: 116 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Apr 12 17:03:40 2011
;; MSG SIZE  rcvd: 1146

Now it exists?

Note that nsd is serving the record fine:

[paul at bofh pri]$ dig +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61386
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsig.dane.xelerance.com.	IN	A

;; ANSWER SECTION:
badsig.dane.xelerance.com. 3600	IN	A	193.110.157.151
badsig.dane.xelerance.com. 3600	IN	RRSIG	A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0=


I have a copy of the cache at the time, and an unbound-host output if that would help

After restarting unbound, the record worked as expected.

Paul