Maintained by: NLnet Labs

[Unbound-users] Unbound dropping RRSIGs from zone?

Rob Gallagher
Wed Dec 21 15:28:21 CET 2011


Hi all,

I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a
signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS
records are published to the parent yet). 

A nagios plugin had been regularly alarming that the zone was
unsigned, and indeed when I queried the Unbound resolver that our
monitoring server uses the RRSIG had been stripped out of the reply: 

--------8<--------

>> dig @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec

; <<>> DiG 9.7.3 <<>> @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42217
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.7.7.0.1.0.0.2.ip6.arpa.	IN	SOA

;; ANSWER SECTION:
0.7.7.0.1.0.0.2.ip6.arpa. 814	IN	SOA	ns.heanet.ie.
hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600

--------8<--------

An identical resolver returns the correct record however:

--------8<--------

>> dig @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec

; <<>> DiG 9.7.3 <<>> @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47300
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.7.7.0.1.0.0.2.ip6.arpa.	IN	SOA

;; ANSWER SECTION:
0.7.7.0.1.0.0.2.ip6.arpa. 111	IN	SOA	ns.heanet.ie.
hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600
0.7.7.0.1.0.0.2.ip6.arpa. 111	IN	RRSIG	SOA 8 10
3600 20111226202852 20111220000932 45295 0.7.7.0.1.0.0.2.ip6.arpa.
BWYHZQK8cxu71ysSVKeUAQobe270QWIm4zwXFloBZy8VkvH3OCQdskoB
Xu6Ff7Hql8qi85y7yoAIMofDLLtPfBue1QLIYPT/ioBM81XYJqLJOHwd
gqUUoaR1hufB0ewiCO04QwY2Mq985VzsZyAQ4n+E1OiuRqpvUOCEBoDh uYk=

--------8<--------

Manually flushing the record, restarting unbound, or waiting for the
TTL to expire causes the resolver to re-fetch the missing RRSIGs and
things continue as normal, but the problem seems to re-appear every
couple of days according to the nagios plugin logs.

Nothing obvious turns up in the logs on the resolver, at verbosity 2 at
least, should I increase the verbosity to something noisier?

rg

-- 
Rob Gallagher | Public Key: 0x1DD13A78

HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1.
Registered in Ireland, no 275301
T: (+353-1) 6609040  F: (+353-1) 6603666 WWW: http://www.heanet.ie/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20111221/0a9b2268/attachment.pgp>