Maintained by: NLnet Labs

[Unbound-users] dfas.mil DNSSEC Failure

Phil Mayers
Fri Jun 28 16:37:37 CEST 2013


On 28/06/13 15:18, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ehren,
>
> On 06/28/2013 03:47 PM, Ehren Hawks wrote:
>> Yesterday a customer of ours reported they couldn’t get to
>> *mypay.dfas.mil*. Upon looking into it I see both of my Unbound
>> servers are returning SERVFAIL. Given the type of sight this is I
>> suspected this to be a possible DNSSEC issue. I verified there’s an
>> issue here:
>
> Unbound checks that the chain of trust uses the correct algorithm, as
> advertised by the DS record.  The DS record advertises algorithm 7
> (only).  The DNSKEY record set has keys for 7 and 8.  The MX record is
> signed with only 8.
>
> Unbound is strict here, the DS record states that this chain of trust
> must be present (MUST in the RFC).  It is not, bogus.

Does the RFC really intend to enforce that algo transition can only take 
place at a DS record, even with valid DNSKEY/RRSIG pairs all the way down?