Maintained by: NLnet Labs

[Unbound-users] Issue in DNSSEC

Jan Komissar (jkomissa)
Fri May 20 20:43:11 CEST 2011


Hi Cyril,

 

It looks like your version of dig is very old. The TYPE46 RR is actually
an RRSIG. Since dig doesn't recognize that, it may not recognize the AD
flag either.

 

Jan.

 

From: unbound-users-bounces at NLnetLabs.nl
[mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of Cyril Benedict
Sent: Friday, May 20, 2011 1:51 PM
To: unbound-users
Subject: [Unbound-users] Issue in DNSSEC

 

Hi All,

I am new to unbound DNS. I have installed unbound DNS in windows
machine. Normal queries were working fine without DNSSEC. But, when I
tried to enable DNSSEC and validate the queries, its not working. I
expect the flag AD bit to set in my response. Here below is my
unbound.conf file,

# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:        
         verbosity: 1
         statistics-interval: 30
         num-threads: 1
         interface: 0.0.0.0
         
        # enable cumulative statistics, without clearing them after
printing.
        statistics-cumulative: yes
       
        # enable extended statistics (query types, answer codes, status)
        # printed from unbound-control. default off, because of speed.
        extended-statistics: yes

         outgoing-range: 512
         num-queries-per-thread: 1024

         msg-cache-size: 16m
         rrset-cache-size: 32m

         msg-cache-slabs: 4
         rrset-cache-slabs: 4

         cache-max-ttl: 86400
         infra-host-ttl: 60
         infra-lame-ttl: 120

         infra-cache-numhosts: 10000
         infra-cache-lame-size: 10k
         
         do-ip4: yes
         do-ip6: no
         do-udp: yes
         do-tcp: yes
         do-daemonize: yes
         
         access-control: 0.0.0.0/0 allow
         access-control: 192.168.1.0/24 allow
         access-control: 172.16.0.0/12 allow
         access-control: 10.0.0.0/8 allow
         access-control: 127.0.0.0/8 allow
         #access-control: 0.0.0.0/0 refuse

         #chroot: "/etc/unbound"
         #username: "unbound"
         #directory: "/etc/unbound"
         logfile: "C:\unbound.log"
         #use-syslog: yes
         #logfile: ""
         #use-syslog: no
         #pidfile: "/etc/unbound/unbound.pid"
         root-hints: "C:\Program Files\Unbound\named.cache"
         server: auto-trust-anchor-file: "C:\Program
Files\Unbound\root.key"
         server: dlv-anchor-file: "C:\Program
Files\Unbound\dlv.isc.org.key"
         val-log-level: 2
         
        # File with trusted keys for validation. Specify more than one
file
        # with several entries, one file per entry.
        # Zone file format, with DS and DNSKEY entries.
        # Note this gets out of date, use auto-trust-anchor-file please.
        #trust-anchor-file: ""
   
        # Harden against receiving dnssec-stripped data. If you turn it
        # off, failing to validate dnskey data for a trustanchor will
        # trigger insecure mode for that zone (like without a
trustanchor).
        # Default on, which insists on dnssec data for trust-anchored
zones.
        harden-dnssec-stripped: yes

        identity: "DNS"
        version: "1.4"
        hide-identity: yes
        hide-version: yes
        harden-glue: no
        do-not-query-address: 127.0.0.1/8
        do-not-query-localhost: yes
        module-config: "validator iterator"      

-----------------------------------

When i ran the dig, I got the below output,

C:\dig>dig com. SOA +dnssec +multiline

; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.                   IN SOA

;; ANSWER SECTION:
com.                    878 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. (

                                1305905047 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
com.                    878 IN TYPE46 \# 151 (
00060801000003844DDFC2174DD6772F8
F6903636F6D
 
00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1
 
34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38
 
24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4
 
E6059621CF5F23AA3922120B2DA8351C7B64E682632F
 
33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1
                                3EBBED00281030ECEB97A331ECC0802DF9D889 )

;; AUTHORITY SECTION:
com.                    172778 IN NS a.gtld-servers.net.
com.                    172778 IN NS c.gtld-servers.net.
com.                    172778 IN NS j.gtld-servers.net.
com.                    172778 IN NS m.gtld-servers.net.
com.                    172778 IN NS l.gtld-servers.net.
com.                    172778 IN NS d.gtld-servers.net.
com.                    172778 IN NS b.gtld-servers.net.
com.                    172778 IN NS e.gtld-servers.net.
com.                    172778 IN NS f.gtld-servers.net.
com.                    172778 IN NS k.gtld-servers.net.
com.                    172778 IN NS i.gtld-servers.net.
com.                    172778 IN NS g.gtld-servers.net.
com.                    172778 IN NS h.gtld-servers.net.
com.                    172778 IN TYPE46 \# 151 (
000208010002A3004DDB30F54DD1E6
0D8F6903636F6D
 
0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0
 
3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F
 
18D64BF478942AA5436AABF08D66342720D103B292A4
 
D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8
 
2BC6A27C67E280A1836FB869850194F851CF53A1D7EB
                                F238FA9705E052D80311D0C31AE491255BCBB3 )

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 20 20:54:59 2011
;; MSG SIZE  rcvd: 637

My root.key file is below after updating the file using unbound-anchor,

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011
;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011
;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.    172800    IN    DNSKEY    257 3 8 XXXXXXXXXXXXXXXXXX


Please advice me for any documentation which will help me to resolve the
issue. It will be greatful, if someone point out the problem. Thanks in
advance. 

Thanks,
Cyril.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110520/7ebc4e61/attachment-0001.html>