Maintained by: NLnet Labs

[Unbound-users] Can't find domainname

W.C.A. Wijngaards
Wed Aug 22 14:46:13 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michiel,

On 08/22/2012 01:45 PM, Michiel Piscaer wrote:
> Hi,
> 
> We can't reach the domainname gruintjes.nl, when we look into the 
> logging with verbosity: 2 we got the following messages:

val-log-level: 2 shows a detailed error, here

validation failure <gruintjes.nl. A IN>: No DNSKEY record from
217.170.1.241 for key gruintjes.nl. while building chain of trust

> 
> We are using unbound version 1.4.16.
> 
> When we snif the packet we do not see any problems except that the 
> nameservers ns1.hix.nl and ns2.hix.nl are mentioned 8 times in the 
> additional section, also the nameserver ns-3.eu. is not
> responding.

There is a gruintjes.nl DS record, but the nameservers do not have any
DNSSEC information at all.  I should say, the answers that I got did
not contain any DNSSEC, some imposter must have removed them and
therefore it is considered false information.  But I surmise that this
is a configuration problem of gruintjes.nl : enabled DNSSEC with a DS
record in the parent but does have DNSSEC records in the zone.

> But I do not think that this would be the problem.
> 
> So I can't find the solution on this problem?

Can you get "hix.nl" to sign gruintjes.nl (they must have this planned
since there is a DS record).  Or remove the DS record.

Normally, you first sign the domain, then publish the DNSSEC records,
and only then put the DS up.

(to make your life happier, if you decide to remove the DS record, the
domain name will likely start to work very quickly (with a much lower
TTL than usual): because of the DNSSEC-bogus indication, unbound keeps
fetching fresh data for this name frequently (BIND has similar
behaviour)).

If you have no way to engage with hix or mr.gruintjes, then there is
the config option domain-insecure: "gruintjes.nl" that would instruct
unbound to ignore DNSSEC for the domain name.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQNNSVAAoJEJ9vHC1+BF+NBpoQAKo3tjrmmLZl91cg7RZhw51y
zxA5/0+l9JAX+WbX7w3eqsUv1J01xFAd7sntZe7fBxbAtXYBWpi7ccb39cnTCMLP
S7GlLXSQITS1Gp8bAk0YQhHJGMRsk1VeX56rbGzq0CIdQqiuY/q3QxuIW/UXpCTu
DV07sdpABw3bpXAWTMroTbqHr3d9bywQImoUDbyB4Ao1+i2DPFmXilEkQ+lcqfWi
LqvIotmKcGIG0FVXfx0BztfrdkxGLW7QkafYSWAnVK5qkga7gVwnudnoLtEAPeKJ
/ERXGEbW+jz1mwWu997uA4t4Wfwm6K67repuBfFHMcbrgbh7O5DAcGTPq9E5sfWN
5vuSmrK8rKbk9AP6Y3IDMRtZE36ohDThc1hZHllp8LRSChmqGxfFucLiXkODccFt
/S5DPFYIYyWFxevpCOcWXigTCCQHUqdEKtnXS3+aOBWrnR8DcJy03vYeoFj4I6iP
hC4kdla/PgYZ4hJsIcRJNNroko/YztGG4gIpaQjUD/hgSnt4ZX+pnXR5OdZZRJcv
PNEubJ9R5WL4qGX2feMcyrjJmGKXNNG1P87+agnSzWMw4iljN34ZioOVfTD8pNM5
M5It8QHJM3CZ+TmAPsN1TnAMpSvqDMv1Cb+EMh37Dz6P+N4B0/jfzA5Go/QnIjx5
1SIkQI2DxWVORUlzhBxb
=9hC8
-----END PGP SIGNATURE-----