Maintained by: NLnet Labs

[Unbound-users] Cascading Unbound and automatic key update

W.C.A. Wijngaards
Tue Jan 10 15:59:11 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

On 01/10/2012 03:43 PM, lst_hoe02 at kwsoft.de wrote:
> Hello
> 
> we have a internal unbound cache using a second unbound instance at
> the border firewall to do dns resolution with DNSSEC enabled. Today
> our internal unbound stop working with errors like this:
> 
> Jan 10 14:33:53 mailer unbound: [27958:0] info: validation failure 
> <www.at-web.de. A IN>: no DNSSEC records from x.x.x.x for DS
> at-web.de. while building chain of trust Jan 10 14:33:53 mailer
> unbound: [27958:0] info: validation failure <www.heise.de. A IN>:
> no DNSSEC records from x.x.x.x for DS heise.de. while building
> chain of trust

So, what it looked like for this server was that dig @x.x.x.x DS
heise.de +dnssec +norec +cdflag did not return any DNSSEC data.

As if there were fragmentation problems.  And since it was internal
there are extra firewalls or routers for that sort of thing to occur.

> The instance at the border firewall has no errors in the log and
> works fine all the time. After restarting the internal instance, it
> is also working fine again. The auto-trust-anchor-file of the
> internal instance has a timestamp from the restart of the instance,
> so i suspect something went wrong with the update of this file, but
> i have no glue why the restart cured it.

No, the timestamp was probably written right when you restart it.
Because it is written when the root DNSKEY is seen.  When you restart
it the cache is empty and it fetches the root DNSKEY.  And thus
updates the file to note that it saw the root key.

> 
> Both instances are Unbound version 1.4.14 with auto-trust-anchor 
> enabled. The forwarding from internal to firewall instance is done
> this way:
> 
> forward-zone: name: "." forward-addr: x.x.x.x

This looks fine.

> What can we do to debug this problem and prevent it from happening
> again?

There is something happening with UDP.  There seems nothing wrong with
key files.  The error is that somehow it gets no DNSSEC data (edns
backoff, or messages arrive 'stripped' of DNSSEC data).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPDFI6AAoJEJ9vHC1+BF+NJ74P/RTRG+a9NrGVDX+I5xOKpW83
KUGXDeX8jwqP69hcvkwglnk206rJaMlXL6U/j8PVM0fvBiBpfkq7hKxD0r3OdTM7
9oo4zXswQ6zQzKuNdevHP2WBFDcIDncI/1/WVA94JBo0jKmvxbuH1lGKv9BEJ+Xr
94SsXXDwV0GcOYw/e4m6BhGCDH5277R+4j8Djt6nPkYdIKqSLFfOJWBL6cXsDy/x
YussEEySrvAHaSB2tmOjGUi6RclvR0avcXnmQU7rhT75DJBjR4UIzW5z54eaxseD
9GrXuqLFzaJa05Lbdtv7bTLGimy0ohv1WVWihrwXTd8k1zM0YJq4r3hY5Pt0RZQS
reGKqPlI+7wwIoFo8e4T2Ob4nfjbh3BYnPFSksn89EjfMyDqBoWA2u1uxs2Jw8ZM
WPhHInuz2rvXsCZYRqGHrxYNK/TxWtFtssW0mBxxXwwSN6oM2NxA+TbCu3Xjdhhe
Ws0/4BAreMnm3aicFxnGd9td3YjumpFfLMgoDA/pc2A6qkQ21VhWASm4AWu5dJ9q
RH33Mt0q0ML2Jl/YOJ6kKU9FiElWlzy6UAQMiF8Y8SueRiYf2LClj/SbHkSUJL5n
mEBWGa1pvw6ilzWFlSEp3BIZQl8Ub0Q7hYzBDcpLl8t9UHskJLLbgPn8dFXIGMGM
UBXz7Dkljtp+pzSxURI4
=ZX/P
-----END PGP SIGNATURE-----