Maintained by: NLnet Labs

[Unbound-users] NXDOMAN vs SERVFAIL ?

Paul Wouters
Wed Mar 9 00:20:25 CET 2011


I am getting an NXDOMAIN from unbound 1.4.8 on compro.net.


  39.580: compro.net INFO Begin testing DNSSEC for compro.net.
  39.861: compro.net INFO Found DS record for compro.net at parent.
  44.869: compro.net NOTICE DNS lookup error (connection failed).
  45.358: compro.net INFO Servers for compro.net have consistent extra processing status.
  45.358: compro.net INFO Did not find DNSKEY record for compro.net at child.
  45.358: compro.net ERROR Inconsistent security for compro.net - DS found at parent, but no DNSKEY found at child.
  45.358: compro.net INFO Done testing DNSSEC for compro.net.
  45.358: compro.net INFO Test completed for zone compro.net.

bind 9.8.0 is giving a ServFail as I expected.

The DS record looks like:

compro.net.		86332	IN	DS	2211 3 1 1234567890123456789012345678901234567890

I could not get the DS from unbound either......

Note the hash is obviously fake.

unbound-host takes over 30secs to respond, as does unbound as deamon:

-bash-3.2# unbound-host -v compro.net. -C /etc/unbound/unbound.conf
Mar 08 18:07:08 libunbound[31511:0] notice: init module 0: validator
Mar 08 18:07:08 libunbound[31511:0] notice: init module 1: iterator
compro.net. has address 173.201.14.242 (BOGUS (security failure))
validation failure <compro.net. A IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust
compro.net. has no IPv6 address (BOGUS (security failure))
validation failure <compro.net. AAAA IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust


compro.net. mail is handled by 10 mx2.compro.net. (BOGUS (security failure))
validation failure <compro.net. MX IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust

After a little while, or due to me querying and caching something, unbound
started giving me servfails. Though when querying with the +cd I still got
no data:

[paul at bofh ~]$ dig +dnssec +cd  compro.net @193.110.157.136

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec +cd compro.net @193.110.157.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60322
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;compro.net.			IN	A

;; Query time: 109 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Mar  8 18:12:13 2011
;; MSG SIZE  rcvd: 39

Paul