Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

W.C.A. Wijngaards
Mon Jan 10 10:09:27 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 01/08/2011 11:06 PM, Paul Wouters wrote:
>> It should servfail.
> It did not.

What was the query that servfailed?  I can see in the logs that it is
retrying xelerance.org queries (for A, AAAA and type RRSIG).  Because
type RRSIG cannot be validated, you may have received a reply for that one.

Could it be that your (Mac?) tried to fail over to another DNS server
even though you did not want that?  What you say about resolv.conf makes
this unlikely, and you did a straight dig @127.0.0.1, I guess.

> I always restarted unbound fully.

Good to know.

> I did capture the logs, mailed to you offlist.

Thanks!

Did you notice these lines:
remote control failed ssl crypto error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Looks like some garbage connection to the unbound-control port.

> I don't think so. For each test I ran a "service unbound restart", and
> since resolv.conf was not configured to use 127.0.0.1, nothing could
> have used unbound until I started sending it queries for xelerance.org
> after I ran the unbound-control forward statement.

It looks like you have a downstream validator, and this unbound does not
have a lot of trust anchors?  It has trust anchors, right?  I can see
you editing trust anchor config earlier in the logs.  The downstream
validator seems to make DNSKEY and RRSIG queries.  And I see a lot of
retries (due to DNSSEC failures?).

These logs are confusing, I see they are log level 4 or 5 or so, but
they are missing stuff (such as the configured trust anchors printout at
start).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0qzMcACgkQkDLqNwOhpPgUbwCfTU1kr2rX3GtkJ+uxw9iOYDJa
k2YAoJQ8i6csAkh+pmV2yFqmZxu2yHAN
=/eW+
-----END PGP SIGNATURE-----