[Unbound-users] unbound failed when validating

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Jul 12 10:21:16 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Cathy,

That message is in error (just like Unbound, but wrong the other way).
Because the TXT record is not signed, the result should have been sent
without the AD flag.  (CNAME sequence from signed to unsigned zone
becomes insecure).  Something that could well be reported to the ISC people.

Best regards,
   Wouter

On 07/12/2011 11:40 AM, Cathy Zhang wrote:
> hi Wouter,
> thanks a lot for your answer. but i can get the following response
> from bind recursor:
> there is 'ad' flag. so i wonder whether the validation should be
> 'pass' or 'failed'.
> -----------------------------------------------
> dig foo.dname2.example. any @10.53.0.4 +dnssec
> 
> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.dname2.example.            IN      ANY
> 
> ;; ANSWER SECTION:
> dname2.example.         81      IN      DNAME   dname2-target.example.
> dname2.example.         81      IN      RRSIG   DNAME 3 2 300
> 20110811002909 20110712002909 41604 example.
> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
> foo.dname2.example.     81      IN      CNAME   foo.dname2-target.example.
> foo.dname2-target.example. 3381 IN      RRSIG   NSEC 3 3 3600
> 20110811002909 20110712002909 41604 example.
> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
> foo.dname2-target.example. 3381 IN      NSEC    dynamic.example. TXT RRSIG NSEC
> foo.dname2-target.example. 81   IN      RRSIG   TXT 3 3 300
> 20110811002909 20110712002909 41604 example.
> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
> foo.dname2-target.example. 81   IN      TXT     "testing dname"
> 
> ;; Query time: 1 msec
> ;; SERVER: 10.53.0.4#53(10.53.0.4)
> ;; WHEN: Tue Jul 12 17:30:06 2011
> ;; MSG SIZE  rcvd: 403
> 
> 
> 2011/7/12, W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
> Hi Cathy,
> 
> Unbound follows the DNAME when answering the ANY query, like Luo Ce has
> reported.  But, in this case, it is confused by the unsigned target and
> thus unsigned data that appears in the ANY response.
> 
> There are two roads to solution.  Unbound can stop following CNAME and
> DNAME if the qtype is ANY.  Unbound can learn that ANY responses may
> contain CNAME and DNAME and thus also target zone contents and validate
> that.
> 
> Best regards,
>    Wouter
> 
> 
> On 07/12/2011 04:45 AM, Cathy Zhang wrote:
>>>> unbound responds with status SERVFAIL for request 'dig
>>>> foo.dname2.example. any +dnssec'. I think it means unbound failed to
>>>> validate the data and i found such statements in log:
>>>> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
>>>> TYPE0 CLASS0>
>>>> would it be 'example' the signer instead of 'foo.dname2.example'?
>>>>
>>>> here is the response for request with cd bit set
>>>> $ dig foo.dname2.example. any @10.53.0.8 +cdflag
>>>>
>>>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
>>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;foo.dname2.example.            IN      ANY
>>>>
>>>> ;; ANSWER SECTION:
>>>> dname2.example.         300     IN      DNAME   dname2-target.example.
>>>> dname2.example.         300     IN      RRSIG   DNAME 3 2 300
>>>> 20110811002909 20110712002909 41604 example.
>>>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
>>>> foo.dname2.example.     0       IN      CNAME   foo.dname2-target.example.
>>>> foo.dname2-target.example. 300  IN      TXT     "testing dname"
>>>> foo.dname2-target.example. 300  IN      RRSIG   TXT 3 3 300
>>>> 20110811002909 20110712002909 41604 example.
>>>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
>>>> foo.dname2-target.example. 3600 IN      NSEC    dynamic.example. TXT RRSIG
>>>> NSEC
>>>> foo.dname2-target.example. 3600 IN      RRSIG   NSEC 3 3 3600
>>>> 20110811002909 20110712002909 41604 example.
>>>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> example.                300     IN      NS      ns2.example.
>>>> example.                300     IN      NS      ns3.example.
>>>>
>>>> ;; ADDITIONAL SECTION:
>>>> ns2.example.            300     IN      A       10.53.0.2
>>>> ns3.example.            300     IN      A       10.53.0.3
>>>>
>>>> ;; Query time: 92 msec
>>>> ;; SERVER: 10.53.0.8#53(10.53.0.8)
>>>> ;; WHEN: Tue Jul 12 09:38:11 2011
>>>> ;; MSG SIZE  rcvd: 474
>>>> _______________________________________________
>>>> Unbound-users mailing list
>>>> Unbound-users at unbound.net
>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOHCAbAAoJEJ9vHC1+BF+NXKkQAIKsMWSKKJ8F+nuTFN1dSeAK
YyOdzPy6jMBY1I64gCw10VikHeFZbtrJ7raqZOjiUixJ3/IrVwnjdctYxV+/uxwM
WHIyMMBUnlnIizW2wJVw91yzl/JE8e79OPmVj2Sxo2q86+cEBL72aCsJzXbQHGW+
tNGHOqlznc6JURyAr1QokT6r5A90vDWe7Q/u9/3rUOvCYzaet4TOgZW1iOU945r3
QTXmHkxvYmoDc60eetFX3zH6CNJCgwt6zyeoA2NYMqYrWLO8Z3DcfrGhKUPqZmem
9VyjZM0RoiT3VdLT/bDtK2Rzb9laS3CBiuphJ9AVKYZvSviHhRc6folIlgalGsVt
KHACrYWslgvJCVQiDzDxuiEPjHujXWKzn6HFYedyoMZLdYjLRmQ1c4f2LWK3+Tfb
YyC5oFAPq6MMPgKpLNrxcTGZdDrzFOajmcX68JBB5qyTN/HMMTqka3bwFDDp24a/
/aV9PZmFwsru5vPB4FHwxp3a92Dj8DG6l78KYu4AFsMtb6+yR3NTdIp81idY0zeP
jg4ngMblOzdlZQvXI8NiB0I7+6XLyk+fVcViygXjef60mOXdlrHfhXv1+u8Xbo5Z
92aMSH2351zEKNt43Nf+75hmoJkYZnShfdC+kIazy2pTx+ZRjgq7gdLrmsr+BFxY
Y1gDiwEHpQBnSLPwFvf7
=aaJB
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list