Maintained by: NLnet Labs

[Unbound-users] Having issues in DNSSEC validation

Cyril Benedict
Fri May 20 17:32:57 CEST 2011


Hi All,

I have installed unbound DNS in windows machine. Normal queries were working
fine without DNSSEC. But, when I tried to enable DNSSEC and validate the
queries using AD bit set, its not working. Here below is my unbound.conf
file,

# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
         verbosity: 1
         statistics-interval: 30
         num-threads: 1
         interface: 0.0.0.0

        # enable cumulative statistics, without clearing them after
printing.
        statistics-cumulative: yes

        # enable extended statistics (query types, answer codes, status)
        # printed from unbound-control. default off, because of speed.
        extended-statistics: yes

         outgoing-range: 512
         num-queries-per-thread: 1024

         msg-cache-size: 16m
         rrset-cache-size: 32m

         msg-cache-slabs: 4
         rrset-cache-slabs: 4

         cache-max-ttl: 86400
         infra-host-ttl: 60
         infra-lame-ttl: 120

         infra-cache-numhosts: 10000
         infra-cache-lame-size: 10k

         do-ip4: yes
         do-ip6: no
         do-udp: yes
         do-tcp: yes
         do-daemonize: yes

         access-control: 0.0.0.0/0 allow
         access-control: 192.168.1.0/24 allow
         access-control: 172.16.0.0/12 allow
         access-control: 10.0.0.0/8 allow
         access-control: 127.0.0.0/8 allow
         #access-control: 0.0.0.0/0 refuse

         #chroot: "/etc/unbound"
         #username: "unbound"
         #directory: "/etc/unbound"
         logfile: "C:\unbound.log"
         #use-syslog: yes
         #logfile: ""
         #use-syslog: no
         #pidfile: "/etc/unbound/unbound.pid"
         root-hints: "C:\Program Files\Unbound\named.cache"
         server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
         server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
         val-log-level: 2

        # File with trusted keys for validation. Specify more than one file
        # with several entries, one file per entry.
        # Zone file format, with DS and DNSKEY entries.
        # Note this gets out of date, use auto-trust-anchor-file please.
        #trust-anchor-file: ""

        # Harden against receiving dnssec-stripped data. If you turn it
        # off, failing to validate dnskey data for a trustanchor will
        # trigger insecure mode for that zone (like without a trustanchor).
        # Default on, which insists on dnssec data for trust-anchored zones.
        harden-dnssec-stripped: yes

        identity: "DNS"
        version: "1.4"
        hide-identity: yes
        hide-version: yes
        harden-glue: no
        do-not-query-address: 127.0.0.1/8
        do-not-query-localhost: yes
        module-config: "validator iterator"

-----------------------------------

When i ran the dig, I got the below output,

C:\dig>dig com. SOA +dnssec +multiline

; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.                   IN SOA

;; ANSWER SECTION:
com.                    878 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. (

                                1305905047 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
com.                    878 IN TYPE46 \# 151 (
00060801000003844DDFC2174DD6772F8
F6903636F6D
                                00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1
                                34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38
                                24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4
                                E6059621CF5F23AA3922120B2DA8351C7B64E682632F
                                33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1
                                3EBBED00281030ECEB97A331ECC0802DF9D889 )

;; AUTHORITY SECTION:
com.                    172778 IN NS a.gtld-servers.net.
com.                    172778 IN NS c.gtld-servers.net.
com.                    172778 IN NS j.gtld-servers.net.
com.                    172778 IN NS m.gtld-servers.net.
com.                    172778 IN NS l.gtld-servers.net.
com.                    172778 IN NS d.gtld-servers.net.
com.                    172778 IN NS b.gtld-servers.net.
com.                    172778 IN NS e.gtld-servers.net.
com.                    172778 IN NS f.gtld-servers.net.
com.                    172778 IN NS k.gtld-servers.net.
com.                    172778 IN NS i.gtld-servers.net.
com.                    172778 IN NS g.gtld-servers.net.
com.                    172778 IN NS h.gtld-servers.net.
com.                    172778 IN TYPE46 \# 151 (
000208010002A3004DDB30F54DD1E6
0D8F6903636F6D
                                0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0
                                3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F
                                18D64BF478942AA5436AABF08D66342720D103B292A4
                                D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8
                                2BC6A27C67E280A1836FB869850194F851CF53A1D7EB
                                F238FA9705E052D80311D0C31AE491255BCBB3 )

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 20 20:54:59 2011
;; MSG SIZE  rcvd: 637

My root.key file is below after updating the file using root.key,

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011
;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011
;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.    172800    IN    DNSKEY    257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0
;;lastchange=1304618740 ;;Thu May  5 23:35:40 2011


I could see AD bit is *NOT* set. Please advice me, what I need to do.

Thanks,
Cyril.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110520/da8b68ea/attachment-0001.html>