Maintained by: NLnet Labs

[Unbound-users] Persistent validation failure on several sites

Wendi Chen
Mon Dec 9 14:21:01 CET 2013


Hi Wouter,

Thank you for your investigation and explanation. I tried dig +cdflag and it get answers very well. Later, we experienced such kinds of transient problems when using dig only. Since it is not unbound bug, we will ignore them.

Best,
Wendi

> Date: Mon, 2 Dec 2013 09:34:48 +0100
> From: wouter at nlnetlabs.nl
> To: unbound-users at unbound.net
> Subject: Re: [Unbound-users] Persistent validation failure on several sites
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Wenci,
> 
> I receive answers for them.  Your dig contacted unbound itself.  You
> should set dig +cdflag so you can see the dnssec invalid answers that
> unbound has, or set dig to probe the other servers.
> 
> sirius-soft.at seems to have retracted its DS record and is now
> insecure - I guess something was wrong for them.
> 
> rellim.com has faulty algorithm rollover - they publish DS records
> algorithms 5 and 7, and have DNSKEYs 7 and 8.  There are no keys of
> type 5... This breaks resolution for unbound.  Other software has a
> more lenient view on algorithm rollover and keys.  And it goes back to
> a debate about whether one key is enough or if you want to check all
> available algorithms; it advertises algorithm 5 and thus it must
> provide a chain of trust for algorithm 5.
> 
> Best regards,
>    Wouter
> 
> 
> On 11/29/2013 06:24 PM, Wendi Chen wrote:
> > HI All,
> > 
> > We consistently receive the following unbound logs:
> > 
> > 131127 17:48:33 unbound: [5694:0] info: validation failure
> > d.t10000.u6860931751.s1385574322.i1009.v6022.503b8.z.dotnxdomain.net.
> > A IN 131127 17:51:28 unbound: [5694:0] info: validation failure
> > ns2.sirius-soft.at. A IN 131127 17:51:28 unbound: [5694:0] info:
> > validation failure ns1.sirius-soft.at. A IN 131127 17:51:28
> > unbound: [5694:0] info: validation failure ns3.sirius-soft.at. A
> > IN 131127 17:51:45 unbound: [5694:1] info: validation failure
> > ns2.sirius-soft.at. A IN 131127 17:52:02 unbound: [5694:1] info:
> > validation failure ns3.sirius-soft.at. A IN 131127 17:52:35
> > unbound: [689:0] info: validation failure rellim.com. A IN 131127
> > 17:52:36 unbound: [21479:0] info: validation failure rellim.com. A
> > IN 131127 17:52:46 unbound: [5694:0] info: validation failure
> > rellim.com. A IN 131127 17:52:46 unbound: [5694:0] info: validation
> > failure rellim.com. NS IN 131127 17:52:46 unbound: [5694:0] info:
> > validation failure ns1.rellim.com. A IN 131127 17:52:46 unbound:
> > [689:1] info: validation failure rellim.com. A IN 131127 17:52:48
> > unbound: [21479:1] info: validation failure rellim.com. A IN 131127
> > 17:52:48 unbound: [21479:1] info: validation failure rellim.com. NS
> > IN 131127 17:52:48 unbound: [21479:1] info: validation failure
> > ns2.rellim.com. AAAA IN 131127 17:52:48 unbound: [21479:1] info:
> > validation failure ns1.rellim.com. A IN
> > 
> > Is it a bug in unbound or a problem with the DNS configuration of
> > those sites?
> > 
> > I ran dig commands on those sites and found all of them returned no
> > answers.
> > 
> > For example, wendi: dig rellim.com
> > 
> > 
> > ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>>
> > rellim.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> > opcode: QUERY, status: SERVFAIL, id: 52216 ;; flags: qr rd ra;
> > QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > 
> > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> > QUESTION SECTION: ;rellim.com.                    IN      A
> > 
> > ;; Query time: 840 msec ;; SERVER: 192.168.58.1#53(192.168.58.1) ;;
> > WHEN: Fri Nov 29 12:20:38 EST 2013 ;; MSG SIZE  rcvd: 39
> > 
> > Thank you if you can give me some advices.
> > 
> > Best, Wendi
> > 
> > 
> > _______________________________________________ Unbound-users
> > mailing list Unbound-users at unbound.net 
> > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJSnEYoAAoJEJ9vHC1+BF+Ne2MQAKVrfbB44CwktLm+tXmWbgqA
> Jtius/U/um39b5D+UPCtQANGOaepfRvEdRVMU+0jI4qNq+g3/zeRDoR3WOEQr6vt
> DjFCR13g0GokaiCI9EVyGwUq5fHetgc92n2Ke+IYd5AcsRbWzMJlrkZSWtL+KBCv
> s+7M49jmxkQQsTa+9vOrLlfFu1IUNYpf2qlL+I89Qn1TjTJOz9ZfsN66J3ieyqv1
> HJRKa/aXe4VTZOIUHkQjiPfBb/3iyJo8BxN8GeLOFcLKyrVVzZfS5uzNt47TWgqQ
> QWAq4YHhLdb2rVAKRqFQDCHlnC8JVgWNYfYAGuFazWtL2BOWItk3IjXlLmhEONr2
> lVtyTfiDaT3x0MIgp1NDCWW/FO8py6XtgS46qM/cWPQ1MyXD+EM/bHNtxRzVF6O0
> 7uJg16fDuxyF4t0wgcGAtxvBpwqw3N/UJENWztw1yv3iCFCb/wSgU012jJV75D9J
> kpGv+Dm8HVQfWsugqYwZ2yeMH9ICc59ILWxuTVQfBUOMd1VySIczZCgb90GFHQKH
> CDGfAYRF9JFZT2QUzT4M1ubC9iPFCG3x/Q8a1bNyxQCwm3E/f9CTY67bA7/KosgA
> hx1L0Vi5wBa1p5OyycXVeb2iYw8smcY05NOpEpVlOGSYSFUCXOYOAYgkQ/zz4/y4
> kbdp6h4Wq0Z7p2wZxSWS
> =uMZt
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20131209/d46371d0/attachment.html>