Maintained by: NLnet Labs

[Unbound-users] Issue in DNSSEC

Cyril Benedict
Sat May 21 20:25:38 CEST 2011


Hi Jan,

Thanks a lot. After I had BIND9.5.0-P2's dig version, i got AD bit set in my
response. It worked.

C:\BIND9.5.0-P2>dig dlv.isc.org. dnskey +dnssec +multiline @localhost

; <<>> DiG 9.5.0-P2 <<>> dlv.isc.org. dnskey +dnssec +multiline @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1195
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org.           IN DNSKEY

;; ANSWER SECTION:

Thanks,
Cyril.

On Sat, May 21, 2011 at 12:13 AM, Jan Komissar (jkomissa) <
jkomissa at cisco.com> wrote:

> Hi Cyril,
>
>
>
> It looks like your version of dig is very old. The TYPE46 RR is actually an
> RRSIG. Since dig doesn’t recognize that, it may not recognize the AD flag
> either.
>
>
>
> Jan.
>
>
>
> *From:* unbound-users-bounces at NLnetLabs.nl [mailto:
> unbound-users-bounces at NLnetLabs.nl] *On Behalf Of *Cyril Benedict
> *Sent:* Friday, May 20, 2011 1:51 PM
> *To:* unbound-users
> *Subject:* [Unbound-users] Issue in DNSSEC
>
>
>
> Hi All,
>
> I am new to unbound DNS. I have installed unbound DNS in windows machine.
> Normal queries were working fine without DNSSEC. But, when I tried to enable
> DNSSEC and validate the queries, its not working. I expect the flag AD bit
> to set in my response. Here below is my unbound.conf file,
>
> # Unbound configuration file on windows.
> # See example.conf for more settings and syntax
> server:
>          verbosity: 1
>          statistics-interval: 30
>          num-threads: 1
>          interface: 0.0.0.0
>
>         # enable cumulative statistics, without clearing them after
> printing.
>         statistics-cumulative: yes
>
>         # enable extended statistics (query types, answer codes, status)
>         # printed from unbound-control. default off, because of speed.
>         extended-statistics: yes
>
>          outgoing-range: 512
>          num-queries-per-thread: 1024
>
>          msg-cache-size: 16m
>          rrset-cache-size: 32m
>
>          msg-cache-slabs: 4
>          rrset-cache-slabs: 4
>
>          cache-max-ttl: 86400
>          infra-host-ttl: 60
>          infra-lame-ttl: 120
>
>          infra-cache-numhosts: 10000
>          infra-cache-lame-size: 10k
>
>          do-ip4: yes
>          do-ip6: no
>          do-udp: yes
>          do-tcp: yes
>          do-daemonize: yes
>
>          access-control: 0.0.0.0/0 allow
>          access-control: 192.168.1.0/24 allow
>          access-control: 172.16.0.0/12 allow
>          access-control: 10.0.0.0/8 allow
>          access-control: 127.0.0.0/8 allow
>          #access-control: 0.0.0.0/0 refuse
>
>          #chroot: "/etc/unbound"
>          #username: "unbound"
>          #directory: "/etc/unbound"
>          logfile: "C:\unbound.log"
>          #use-syslog: yes
>          #logfile: ""
>          #use-syslog: no
>          #pidfile: "/etc/unbound/unbound.pid"
>          root-hints: "C:\Program Files\Unbound\named.cache"
>          server: auto-trust-anchor-file: "C:\Program
> Files\Unbound\root.key"
>          server: dlv-anchor-file: "C:\Program
> Files\Unbound\dlv.isc.org.key"
>          val-log-level: 2
>
>         # File with trusted keys for validation. Specify more than one file
>         # with several entries, one file per entry.
>         # Zone file format, with DS and DNSKEY entries.
>         # Note this gets out of date, use auto-trust-anchor-file please.
>         #trust-anchor-file: ""
>
>         # Harden against receiving dnssec-stripped data. If you turn it
>         # off, failing to validate dnskey data for a trustanchor will
>         # trigger insecure mode for that zone (like without a trustanchor).
>         # Default on, which insists on dnssec data for trust-anchored
> zones.
>         harden-dnssec-stripped: yes
>
>         identity: "DNS"
>         version: "1.4"
>         hide-identity: yes
>         hide-version: yes
>         harden-glue: no
>         do-not-query-address: 127.0.0.1/8
>         do-not-query-localhost: yes
>         module-config: "validator iterator"
>
> -----------------------------------
>
> When i ran the dig, I got the below output,
>
> C:\dig>dig com. SOA +dnssec +multiline
>
> ; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;com.                   IN SOA
>
> ;; ANSWER SECTION:
> com.                    878 IN SOA a.gtld-servers.net.
> nstld.verisign-grs.com. (
>
>                                 1305905047 ; serial
>                                 1800       ; refresh (30 minutes)
>                                 900        ; retry (15 minutes)
>                                 604800     ; expire (1 week)
>                                 86400      ; minimum (1 day)
>                                 )
> com.                    878 IN TYPE46 \# 151 (
> 00060801000003844DDFC2174DD6772F8
> F6903636F6D
>
> 00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1
>
> 34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38
>
> 24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4
>
> E6059621CF5F23AA3922120B2DA8351C7B64E682632F
>
> 33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1
>                                 3EBBED00281030ECEB97A331ECC0802DF9D889 )
>
> ;; AUTHORITY SECTION:
> com.                    172778 IN NS a.gtld-servers.net.
> com.                    172778 IN NS c.gtld-servers.net.
> com.                    172778 IN NS j.gtld-servers.net.
> com.                    172778 IN NS m.gtld-servers.net.
> com.                    172778 IN NS l.gtld-servers.net.
> com.                    172778 IN NS d.gtld-servers.net.
> com.                    172778 IN NS b.gtld-servers.net.
> com.                    172778 IN NS e.gtld-servers.net.
> com.                    172778 IN NS f.gtld-servers.net.
> com.                    172778 IN NS k.gtld-servers.net.
> com.                    172778 IN NS i.gtld-servers.net.
> com.                    172778 IN NS g.gtld-servers.net.
> com.                    172778 IN NS h.gtld-servers.net.
> com.                    172778 IN TYPE46 \# 151 (
> 000208010002A3004DDB30F54DD1E6
> 0D8F6903636F6D
>
> 0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0
>
> 3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F
>
> 18D64BF478942AA5436AABF08D66342720D103B292A4
>
> D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8
>
> 2BC6A27C67E280A1836FB869850194F851CF53A1D7EB
>                                 F238FA9705E052D80311D0C31AE491255BCBB3 )
>
> ;; Query time: 15 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 20 20:54:59 2011
> ;; MSG SIZE  rcvd: 637
>
> My root.key file is below after updating the file using unbound-anchor,
>
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011
> ;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011
> ;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011
> ;;query_failed: 0
> ;;query_interval: 43200
> ;;retry_time: 8640
> .    172800    IN    DNSKEY    257 3 8 XXXXXXXXXXXXXXXXXX
>
>
> Please advice me for any documentation which will help me to resolve the
> issue. It will be greatful, if someone point out the problem. Thanks in
> advance.
>
> Thanks,
> Cyril.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110521/7f44ccf8/attachment.html>