Maintained by: NLnet Labs

[Unbound-users] Possible unbound bug with wild card results

Erinn Looney-Triggs
Wed Mar 20 21:55:27 CET 2013


There is a bugzilla open about a similar
issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my
reading it looks like it went off in another direction.

The issue I am running into comes in when resolving fedorapeople.org
domains which are DLV signed. Specifically fkooman.fedorapeople.org but
any other *.fedorapeople.org domains seem to fail, and only with unbound
in my testing thus far. Straight bind will return the result.

When attempting to resolve I get this in the logs:

unbound: [1005:1] info: validation failure fkooman.fedorapeople.org. A IN

Running directly against bind we get the result as expected:
dig fkooman.fedorapeople.org +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>>
fkooman.fedorapeople.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fkooman.fedorapeople.org.      IN      A

;; ANSWER SECTION:
fkooman.fedorapeople.org. 56    IN      A       152.19.134.191
fkooman.fedorapeople.org. 56    IN      RRSIG   A 5 2 60 20130418182632
20130319182632 378 fedorapeople.org.
7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
+ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=

;; AUTHORITY SECTION:
*.fedorapeople.org.     56      IN      NSEC    fedorapeople.org. A AAAA
RRSIG NSEC
*.fedorapeople.org.     56      IN      RRSIG   NSEC 5 2 86400
20130418182632 20130319182632 378 fedorapeople.org.
8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=


You can get a nice break down of the signing here:
http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/

My guess is that it has to do with the *.fedorapeople.org record, but I
am no expert, or perhaps DLV plays into it? There aren't a great deal of
sites that I know of to compare this to.

Can anyone else confirm or deny this issue with their unbound?

Thanks,
-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130320/c00617b8/attachment.sig>