Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Leen Besselink
Tue Jul 26 13:25:38 CEST 2011


On 07/26/2011 06:41 AM, Paul Wouters wrote:
>
> The easiest integration would be to configure unbound with a forwarder
> for
> 127.0.0.1 XXX where XXX would lead into a tor virtual circuit to google's
> 8.8.8.8 open resolver (that supports dnssec). tor could frequently change

Hi Paul,

Are you sure 8.8.8.8 supports DNSSEC ? Because than I would have
expected this to work:

$ cat /etc/resolv.conf
nameserver 8.8.8.8
$ ./unbound-host -h | grep Version # with ldns-1.6.10 and only one
configure option: --disable-gost
Version 1.4.12
$ ./unbound-host -r -d -vy '. DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5' cz -t DS
[1311679359] libunbound[32251:0] notice: init module 0: validator
[1311679359] libunbound[32251:0] notice: init module 1: iterator
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: response for cz. DS IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was nodata ANSWER
[1311679359] libunbound[32251:0] info: prime trust anchor
[1311679359] libunbound[32251:0] info: resolving . DNSKEY IN
[1311679359] libunbound[32251:0] info: response for . DNSKEY IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was ANSWER
[1311679359] libunbound[32251:0] info: validate keys with anchor(DS):
sec_status_secure
[1311679359] libunbound[32251:0] info: Successfully primed trust anchor
. DNSKEY IN
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: response for cz. DS IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was nodata ANSWER
[1311679359] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: response for cz. DS IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was nodata ANSWER
[1311679359] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: response for cz. DS IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was nodata ANSWER
[1311679359] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679359] libunbound[32251:0] info: response for cz. DS IN
[1311679359] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679359] libunbound[32251:0] info: query response was nodata ANSWER
[1311679359] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679359] libunbound[32251:0] info: resolving cz. DS IN
[1311679360] libunbound[32251:0] info: response for cz. DS IN
[1311679360] libunbound[32251:0] info: reply from <.> 8.8.8.8#53
[1311679360] libunbound[32251:0] info: query response was nodata ANSWER
[1311679360] libunbound[32251:0] info: NSEC3s for the referral did not
prove no DS.
[1311679360] libunbound[32251:0] info: Could not establish a chain of
trust to keys for cz. DNSKEY IN
cz has no DS record (BOGUS (security failure))
validation failure <cz. DS IN>: no signatures with algorithm RSASHA256
from 8.8.8.8 for DS cz. while building chain of trust