Maintained by: NLnet Labs

[Unbound-users] unbound failed when validating

W.C.A. Wijngaards
Tue Jul 12 09:11:37 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Cathy,

Unbound follows the DNAME when answering the ANY query, like Luo Ce has
reported.  But, in this case, it is confused by the unsigned target and
thus unsigned data that appears in the ANY response.

There are two roads to solution.  Unbound can stop following CNAME and
DNAME if the qtype is ANY.  Unbound can learn that ANY responses may
contain CNAME and DNAME and thus also target zone contents and validate
that.

Best regards,
   Wouter


On 07/12/2011 04:45 AM, Cathy Zhang wrote:
> unbound responds with status SERVFAIL for request 'dig
> foo.dname2.example. any +dnssec'. I think it means unbound failed to
> validate the data and i found such statements in log:
> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
> TYPE0 CLASS0>
> would it be 'example' the signer instead of 'foo.dname2.example'?
> 
> here is the response for request with cd bit set
> $ dig foo.dname2.example. any @10.53.0.8 +cdflag
> 
> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;foo.dname2.example.            IN      ANY
> 
> ;; ANSWER SECTION:
> dname2.example.         300     IN      DNAME   dname2-target.example.
> dname2.example.         300     IN      RRSIG   DNAME 3 2 300
> 20110811002909 20110712002909 41604 example.
> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
> foo.dname2.example.     0       IN      CNAME   foo.dname2-target.example.
> foo.dname2-target.example. 300  IN      TXT     "testing dname"
> foo.dname2-target.example. 300  IN      RRSIG   TXT 3 3 300
> 20110811002909 20110712002909 41604 example.
> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
> foo.dname2-target.example. 3600 IN      NSEC    dynamic.example. TXT RRSIG NSEC
> foo.dname2-target.example. 3600 IN      RRSIG   NSEC 3 3 3600
> 20110811002909 20110712002909 41604 example.
> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
> 
> ;; AUTHORITY SECTION:
> example.                300     IN      NS      ns2.example.
> example.                300     IN      NS      ns3.example.
> 
> ;; ADDITIONAL SECTION:
> ns2.example.            300     IN      A       10.53.0.2
> ns3.example.            300     IN      A       10.53.0.3
> 
> ;; Query time: 92 msec
> ;; SERVER: 10.53.0.8#53(10.53.0.8)
> ;; WHEN: Tue Jul 12 09:38:11 2011
> ;; MSG SIZE  rcvd: 474
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOG/OkAAoJEJ9vHC1+BF+NK5UQAKC+N5cLRrf8i/ZRSkfQntb9
Oq8FSHzp3Hz+vBW10Q0HRxp3T6paCvEu/5eqYqlCiJJdUFPTk4icG3wOBOH7zXyj
rI95P9n4V1gEfUxg10gK1IlLFD8jgN485zhZdQS07Zs8FJjsUqHjpLITo4qO445v
q4BRWbm4ttMbyTOAxw/dh9g41QrpqsEYPdEGcMmtDCEltTpuD8xJB+GGO/3j/V1A
G7sm73vm0J1K8c0DW5/3Dztr/+nGTDUynNL+tvWwBOliZYHch3k4U5rE7rcuxSH0
s0r//PbKAkU2hXh1tsStnKzq2eUCHo9dxIQhHte60otvmsoshHjY4yjtMiIFi2pp
G0pVD4+uEphuHuCdWq8LmP6h0bkx4v6m4I9oMp2DGCXA5AFkhVHBmrxTXvTaPYY6
h0eobzhiSqklyUlPeZklW/OYsrjJ3leGxXZiJE1pq0SDQX8Lt8z5QudCjDWhA01T
v6CIZCp7mtW1bFATgVPUA+cKLAhjdAaea0z63VEFVT5WxsAhsdaW0Z04zRrZTAxb
OKkEfekuCq9Rgo4JRtcgHBppuBWAhHr5zCD7TT9kOk7J9QZb4OkLclnC2xQxJJip
NSvZ4FCYxsQuDt2QHkRcDyBgknll6jPFnFQKKpksP946yy9VZCCLuMJtqQBGS0C7
D2KKFScj1x0hhOG24eA/
=0D3H
-----END PGP SIGNATURE-----