Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 13:54:44 CEST 2011


Hi.

I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
flag in responses. The records have a TTL of 2 days, so I think the
signatures expired while in the cache and Unbound did not revalidate
them before handing out the answer.

I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
permitted by the standard or is it a bug in Unbound?

Installed version is svn rev. 2406.


> ; <<>> DiG 9.8.0rc1 <<>> +dnssec mixmaster.mixmin.net mx @10.42.22.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13580
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65432
> ;; QUESTION SECTION:
> ;mixmaster.mixmin.net.          IN      MX
> 
> ;; ANSWER SECTION:
> mixmaster.mixmin.net.   18287   IN      MX      10 snorky.mixmin.net.
> mixmaster.mixmin.net.   18287   IN      RRSIG   MX 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. xIOOe273z9oJb6EM4l0/KzqrYYXUHUbQRP89U1GMjyJ/hYdNhRZGzCj2 RcRx21v3hjL+1F9KCc280MqXUo6FGKUBC4ZQ09geQ5dkHEesXi8Cwoo1 QcETDvSmTR3/PN0Bz/Ho77m/+7DgrV6dRexABBpTWNYio+OBO8kCR1+y iq0=
> 
> ;; AUTHORITY SECTION:
> mixmin.net.             16906   IN      NS      asteria.debian.or.at.
> mixmin.net.             16906   IN      NS      snorky.mixmin.net.
> mixmin.net.             16906   IN      NS      fleegle.mixmin.net.
> mixmin.net.             16906   IN      RRSIG   NS 5 2 172800 20110328161855 20110226161855 58161 mixmin.net. ezh+yZwfiaI7D9j0m5cV2nhVb7SLPpx3OJymq7GyjT/q3foKCBTUNq5A CqQP5c/ewSenV2uFeDVhQLaeldT6O6Sv+V+Wa+OU7Xc6qFE4IXjM4+Uv DjUhk+e/kV81Gh+I3Z5AvmQ9/H5dTCno6HBp/lzoDj/iU11tcWw3cnK+ K2w=
> 
> ;; ADDITIONAL SECTION:
> snorky.mixmin.net.      16906   IN      A       188.40.76.149
> snorky.mixmin.net.      16906   IN      AAAA    2a01:4f8:100:5243::3
> fleegle.mixmin.net.     16906   IN      A       82.133.6.118
> fleegle.mixmin.net.     16906   IN      AAAA    2002:5285:676::1
> snorky.mixmin.net.      16906   IN      RRSIG   A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5+XnM1ATswU8jCbVfEv8YXGbJV2XPH3bbLmNwHCe5Kr+WmMTZ4T/+udL 8fwh/TxDnEDTj5/MZOC5C/7z1/FbPwzkBU5sYWezLnCNrq7IyWr7WlHe nZBu47J48xQuTz1Ag74mCIBUNfEvZ72TPnjEr5X+O1wDfSfcCFOP4nYB sJE=
> snorky.mixmin.net.      16906   IN      RRSIG   AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. y5a5ai11w1lERhTwlXGj8pcACFSuvcQcKokFHQ/fVBO5b30BKRs2rQ6P n37RO0p9WfcXgYg3Exhv6ae9FyPfbAjHwmGFCr/wl5MJN1s24DG9aj2b L/Rf+AK+Vunyjg4GXYLBZVaC59CZNef/gXlSFquh9RKKwcjVMI8/HM0j JYQ=
> fleegle.mixmin.net.     16906   IN      RRSIG   A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5aglAu0Q61hTr+8lpJk2zWt6XJ9U7sO2Vl6tktDTh4ywr3JR/CrbnzRS jeOO0ZOPopXenSUayQ7t5q7LP2wD2giP9YSWsrFXZBZ0a2po5vkxCsCg aY6LKNPK6tXV2uuZWw0s4XOwC0y7HZ6W2j8atovfVrghtx8Tn0gkL7V0 uVA=
> fleegle.mixmin.net.     16906   IN      RRSIG   AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. XZWrf/dDj1RgG3cAXBB2oTKgi0tqAkJf4q8lNc0l2i/eqSYiaZAEHEgC RmRVG4W+GmSrb5vp49NCATcCFDe/vmHH9TlN60hQVFkdj6P3i8t/2TxC M9EUtCeX0prPCNuZpJeLYBuXU03hFEnyUag3td6mgW9pCSGaW4c3nxR5 tZo=
> 
> ;; Query time: 25 msec
> ;; SERVER: 10.42.22.8#53(10.42.22.8)
> ;; WHEN: Wed Mar 30 13:39:12 2011
> ;; MSG SIZE  rcvd: 1250


Hauke.