Maintained by: NLnet Labs

[Unbound-users] unbound failed when validating

W.C.A. Wijngaards
Tue Jul 12 12:24:05 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Cathy,

No, I am wrong: both the source and destination zone are signed, and
hence the results validate and the AD flag is set.  The response is fine.

Best regards,
   Wouter

On 07/12/2011 12:21 PM, W.C.A. Wijngaards wrote:
> Hi Cathy,
> 
> That message is in error (just like Unbound, but wrong the other way).
> Because the TXT record is not signed, the result should have been sent
> without the AD flag.  (CNAME sequence from signed to unsigned zone
> becomes insecure).  Something that could well be reported to the ISC people.
> 
> Best regards,
>    Wouter
> 
> On 07/12/2011 11:40 AM, Cathy Zhang wrote:
>> hi Wouter,
>> thanks a lot for your answer. but i can get the following response
>> from bind recursor:
>> there is 'ad' flag. so i wonder whether the validation should be
>> 'pass' or 'failed'.
>> -----------------------------------------------
>> dig foo.dname2.example. any @10.53.0.4 +dnssec
> 
>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;foo.dname2.example.            IN      ANY
> 
>> ;; ANSWER SECTION:
>> dname2.example.         81      IN      DNAME   dname2-target.example.
>> dname2.example.         81      IN      RRSIG   DNAME 3 2 300
>> 20110811002909 20110712002909 41604 example.
>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
>> foo.dname2.example.     81      IN      CNAME   foo.dname2-target.example.
>> foo.dname2-target.example. 3381 IN      RRSIG   NSEC 3 3 3600
>> 20110811002909 20110712002909 41604 example.
>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
>> foo.dname2-target.example. 3381 IN      NSEC    dynamic.example. TXT RRSIG NSEC
>> foo.dname2-target.example. 81   IN      RRSIG   TXT 3 3 300
>> 20110811002909 20110712002909 41604 example.
>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
>> foo.dname2-target.example. 81   IN      TXT     "testing dname"
> 
>> ;; Query time: 1 msec
>> ;; SERVER: 10.53.0.4#53(10.53.0.4)
>> ;; WHEN: Tue Jul 12 17:30:06 2011
>> ;; MSG SIZE  rcvd: 403
> 
> 
>> 2011/7/12, W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
>> Hi Cathy,
> 
>> Unbound follows the DNAME when answering the ANY query, like Luo Ce has
>> reported.  But, in this case, it is confused by the unsigned target and
>> thus unsigned data that appears in the ANY response.
> 
>> There are two roads to solution.  Unbound can stop following CNAME and
>> DNAME if the qtype is ANY.  Unbound can learn that ANY responses may
>> contain CNAME and DNAME and thus also target zone contents and validate
>> that.
> 
>> Best regards,
>>    Wouter
> 
> 
>> On 07/12/2011 04:45 AM, Cathy Zhang wrote:
>>>>> unbound responds with status SERVFAIL for request 'dig
>>>>> foo.dname2.example. any +dnssec'. I think it means unbound failed to
>>>>> validate the data and i found such statements in log:
>>>>> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
>>>>> TYPE0 CLASS0>
>>>>> would it be 'example' the signer instead of 'foo.dname2.example'?
>>>>>
>>>>> here is the response for request with cd bit set
>>>>> $ dig foo.dname2.example. any @10.53.0.8 +cdflag
>>>>>
>>>>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
>>>>> ;; global options: +cmd
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
>>>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
>>>>>
>>>>> ;; QUESTION SECTION:
>>>>> ;foo.dname2.example.            IN      ANY
>>>>>
>>>>> ;; ANSWER SECTION:
>>>>> dname2.example.         300     IN      DNAME   dname2-target.example.
>>>>> dname2.example.         300     IN      RRSIG   DNAME 3 2 300
>>>>> 20110811002909 20110712002909 41604 example.
>>>>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
>>>>> foo.dname2.example.     0       IN      CNAME   foo.dname2-target.example.
>>>>> foo.dname2-target.example. 300  IN      TXT     "testing dname"
>>>>> foo.dname2-target.example. 300  IN      RRSIG   TXT 3 3 300
>>>>> 20110811002909 20110712002909 41604 example.
>>>>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
>>>>> foo.dname2-target.example. 3600 IN      NSEC    dynamic.example. TXT RRSIG
>>>>> NSEC
>>>>> foo.dname2-target.example. 3600 IN      RRSIG   NSEC 3 3 3600
>>>>> 20110811002909 20110712002909 41604 example.
>>>>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
>>>>>
>>>>> ;; AUTHORITY SECTION:
>>>>> example.                300     IN      NS      ns2.example.
>>>>> example.                300     IN      NS      ns3.example.
>>>>>
>>>>> ;; ADDITIONAL SECTION:
>>>>> ns2.example.            300     IN      A       10.53.0.2
>>>>> ns3.example.            300     IN      A       10.53.0.3
>>>>>
>>>>> ;; Query time: 92 msec
>>>>> ;; SERVER: 10.53.0.8#53(10.53.0.8)
>>>>> ;; WHEN: Tue Jul 12 09:38:11 2011
>>>>> ;; MSG SIZE  rcvd: 474
>>>>> _______________________________________________
>>>>> Unbound-users mailing list
>>>>> Unbound-users at unbound.net
>>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
> 
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOHCDFAAoJEJ9vHC1+BF+NRsEP/1LtnX9a8uyF4WhXsFoCEFJM
zMPF8hfMFAr8uBu2RICGFSm7/Iof6XpsKNTDR8Nhl6yXhoQiFdohpQ+QfZEnwlIb
pfomJTQsnEYQYjiY8kiCIgmskArxQiRbtMcV+1iDpV0q5zsvZ1nXaCH+EWvVCkkk
0/WcNQz9KzUCQni6LW2OAGw+3CXZy38EeSHolP1fE010mUGAJltc8DL8B8eDylvJ
Szad1TmIKJn1IEkRSn+CP5AjcMgFowl7RQx65nC+1vf18B6jk52g5n2gMpnD/iSs
XASuhLuqZdys8GeRbPfoZaaQxE9pCdQ5GcdQIe0TD/mgfmPNVQgJRntPc8CRr1ED
AsGV+ggq4oBFgmQyeeRij5gXe2rds/1Qxtt6V8jEHw9g03jJDmAcktIxGheHuFmy
UqRSwEqekbJwQjxlOUqwGzcWXkNUhXZjSBUKkTgDyiiG37eoMu0x8HGHXCvrVJfz
aVv9Z4PRy4n0b0QM6AKRpTKK6r+gkWLnZBtXd8Okse1YSpvH1X7ibtXG8OKfb2te
O7J1Y5ddVEJUzZB6W9xJbYO/133ygBOtBx81MNKxkOtavd/wN4mbfzwRctanF+aa
U26BPPVFbq/mVp7WIuR+t7JoG2LWp+myULZECOTXEUglggxhgUnl3HlqfPkkfTl0
Ex7Yo3j6iwKWMr7u90JL
=IPBs
-----END PGP SIGNATURE-----