Maintained by: NLnet Labs

[Unbound-users] Hunting down validation failure

Leo Baltus
Tue Feb 12 15:08:56 CET 2013


Op 12/02/2013 om 13:57:45 +0000, schreef Jan Komissar (jkomissa):
> The address of ip-lookup.resrepublic.nl. is 192.168.30.150, which is a private address. Did you set the 'private-address' configuration setting to disallow private addresses?
> 

Argh! You are completely right.

I was focussing on DNSSEC validation because of the 'no signatures' log
from unbound.

Thanks!

> > -----Original Message-----
> > From: unbound-users-bounces at unbound.net [mailto:unbound-users-
> > bounces at unbound.net] On Behalf Of Leo Baltus
> > Sent: Tuesday, February 12, 2013 5:06 AM
> > To: unbound-users at unbound.net
> > Subject: [Unbound-users] Hunting down validation failure
> > 
> > Hi,
> > 
> > We are running unbound-1.4.19 (ldns-1.6.16) now for 2 weeks and we
> > received out first complaint about a domain which we cannot explain:
> > 
> > 
> > Feb 12 09:32:48 idgit13 unbound: [19974:3] info: validation failure
> > <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 2001:14a0:100:6::53 Feb 12 09:33:36 idgit14 unbound: [30373:2] info:
> > validation failure <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 2a01:7c8:a::53 Feb 12 09:37:08 idgit13 unbound: [19974:2] info:
> > validation failure <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 80.69.67.67 Feb 12 09:45:57 idgit13 unbound: [19974:1] info: validation
> > failure <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 217.115.203.194 Feb 12 09:46:28 idgit14 unbound: [30373:1] info:
> > validation failure <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 80.69.69.69 Feb 12 10:16:28 idgit13 unbound: [19974:3] info: validation
> > failure <ip-lookup.resrepublic.nl. A IN>: no signatures from
> > 2a01:7c8:b::53
> > 
> > Hower using drill (ldns-1.6.16):
> > $ drill -DT -k root.key ip-lookup.resrepublic.nl
> > 
> > ;; No DNSKEY record found for ip-lookup.resrepublic.nl.
> > [T] ip-lookup.resrepublic.nl.       3600    IN      A       192.168.30.150
> > 
> > Because of firewall-restrictions and the unability to bind() drill to
> > an interface I am unable to run drill from the same machine as unbound
> > is running, it is also compiled on a slightly different version of
> > fedora.
> > 
> > Could somebody please explain what is going on?
> > 
> > --
> > Leo Baltus, internetbeheerder                         /\
> > NPO ICT Internet Services                            /NPO/\
> > Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \  /\/
> > servicedesk at omroep.nl, 035-6773555                    \/
> > _______________________________________________
> > Unbound-users mailing list
> > Unbound-users at unbound.net
> > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-- 
Leo Baltus, internetbeheerder                         /\
NPO ICT Internet Services                            /NPO/\
Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \  /\/
servicedesk at omroep.nl, 035-6773555                    \/