Maintained by: NLnet Labs

[Unbound-users] Help troubleshooting validation failures on ca.gov domains.

Augie Schwer
Thu Mar 22 01:24:21 CET 2012


If anyone could help shed some light on why I'm seeing validation
failures for the ca.gov domain I would really appreciate it.

Unbound 1.4.16 -- started seeing these in the logs:

Mar 21 14:52:23 a unbound: [7326:0] info: validation failure
<www.ca.gov. A IN>: signatures from unknown keys from 134.186.254.247

The domain validates fine using http://dnsviz.net/d/ca.gov/dnssec/

And 'drill' on the same box validates the domain just fine, details
down below for clarity.

I've enabled "val-permissive-mode", so that I can continue to see
errors, but don't have to pull the server out of the pool.

Again, any help in figuring out what is going on would be greatly appreciated.

--Augie


# drill -k /var/unbound/root.key -T ca.gov A
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 56158 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 51201 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: .	172800	IN	DNSKEY	256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
;{id = 56158 (zsk), size = 1024b}
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
Key is now trusted!
[T] gov. 86400 IN DS 53138 7 1 35d81501cc594683875872282fe73054cfe619de
gov. 86400 IN DS 53138 7 2
5aec256412bc1fec92b8fddb4493b585e9406541cf8c952bfe6e27acb3a20766
;; Domain: gov.
[T] gov. 86400 IN DNSKEY 256 3 7 ;{id = 35464 (zsk), size = 2048b}
gov. 86400 IN DNSKEY 256 3 7 ;{id = 23239 (zsk), size = 2048b}
gov. 86400 IN DNSKEY 257 3 7 ;{id = 53138 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: gov.	86400	IN	DNSKEY	256 3 7
AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
;{id = 35464 (zsk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
;{id = 56158 (zsk), size = 1024b}
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
	Trusted key: gov.	86400	IN	DNSKEY	256 3 7
AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
;{id = 35464 (zsk), size = 2048b}
Key is now trusted!
	Trusted key: gov.	86400	IN	DNSKEY	256 3 7
BQEAAAABvSN63WSZXqKpkUlpHZjtvhZqgTTXwS+ayt8E/0AuuXvEuFOkUzUqyUahwSdhbds2aLWJK4Gg7Z0huM/hAnqgvMxpRgY9wyJ0oh5UuO3XpAChAEups6ufY7M/+16lHpkbjQgw45o3t/AOFrxhjAUOA4PR21P7JmkofhMFmnhLnrou9fK+704kr/5uq19xZ1nClCZd+Awtt7mgArePJ0k6HDbScXY9hjr6uwKwbx8Dji+nCajkxBHatAFLz8G0z0lCN3VSnMSrw7U+nNpLzUBcGB8oYAyHV2MoxQFPm8z+b8fZemT5kXftn/XdEbS4qrG48czluD56ESUSQ+z9p4AGLw==
;{id = 23239 (zsk), size = 2048b}
	Trusted key: gov.	86400	IN	DNSKEY	257 3 7
AQO7tpGcHVEdeAwk47cj6Tuc3dvAUktIQ1vMu8mGtGYQ8F6vSOgViE0tmzPtVFrV9E6kY1jLYCh+oKPWn7efpQVMkqc+2b9ECYk/81fA4Vb0BfyYKKhiW7T1uNX4rC03JZa2u8iOHwqq4BRVplksFXCGn47i2Sosa5KuqCNBqUA0oyPTEbxkyNo3Q6l8ZcscILqbvWZ0BJKaLCTtj08Nj35LTqd/XVoEObp48A21Pqyi6Kiblh9H6NoLtqhlvP5+8AujtINJ+sTUQZYgqt9iFQp2AH4HvyJdw8Vkr1QRhhshq6RgRidnOvTIWZKoe4QHQrvmOfW245zv+22Iuu5rYpcl
;{id = 53138 (ksk), size = 2048b}
[T] ca.gov. 86400 IN DS 59151 7 1 b944a2ddc6320e245b9b897e8238b1b850b22344
ca.gov. 86400 IN DS 59151 7 2
c229cd687bedbbf4908b9bceee0239007abd77f9b66ae2d1e16b59e47ee19282
;; Domain: ca.gov.
[T] ca.gov. 172800 IN DNSKEY 257 3 7 ;{id = 59151 (ksk), size = 2048b}
ca.gov. 172800 IN DNSKEY 256 3 8 ;{id = 60459 (zsk), size = 1024b}
[T] ca.gov.	86400	IN	A	134.186.200.20
;;[S] self sig OK; [B] bogus; [T] trusted



-- 
Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us