Maintained by: NLnet Labs

[Unbound-users] faa.gov is not resolvable using DNSSEC resolver.

Andreas Schulze
Tue Oct 11 08:18:13 CEST 2011


Am 10.10.2011 19:22 schrieb James Cloos:
> Oct 10 23:20:31 [unbound] [1461:0] info: reply from <faa.gov.> 155.178.206.21#53
> Oct 10 23:20:31 [unbound] [1461:0] info: query response was ANSWER
> Oct 10 23:20:31 [unbound] [1461:0] info: Did not match a DS to a DNSKEY, thus bogus.
> Oct 10 23:20:31 [unbound] [1461:0] info: Could not establish a chain of trust to keys for faa.gov. DNSKEY IN
> Oct 10 23:20:31 [unbound] [1461:0] info: validation failure www.faa.gov. A IN

Hello,

I like to ask how to handle such problems on a productive resolver.
If a domain is unresolvable, common reasons are
 - the remote site does not handle capitalisation correct.
 - dnssec is broken
 - a bug in unbound

the first can only be fixed by the remote site. If they dont, the domain
stays unresolvabel. Usually my user complain "at home it works!"
Of cource: at home the do not use unbound ...

the second case could be an mtu problem at the local site or misconfigured
dnssec at the remote site.

A bug must be found and fixed. After that a new version mus be tested at
the local site and productive systems must be updated.

That may took days or weeks. The enduser cannot access the domain.

I suggest a lookuptable inside unbound to disable some functions makeing
a domain unresolvable. Lookup key coud be a domain or a server. Lookup result
could be a list of disables functions:
 - do not use capitalisation
 - do not use edns
 - do not use tcp
 - thread domain like unsigned

The last one is implemented with the "domain-insecure" statement.
But for all other problems I have no solution today.

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen