Maintained by: NLnet Labs

[Unbound-users] Possible unbound bug with wild card results

Paul Wouters
Thu Mar 21 01:39:46 CET 2013


On Wed, 20 Mar 2013, Erinn Looney-Triggs wrote:

> There is a bugzilla open about a similar
> issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my
> reading it looks like it went off in another direction.
>
> The issue I am running into comes in when resolving fedorapeople.org
> domains which are DLV signed. Specifically fkooman.fedorapeople.org but
> any other *.fedorapeople.org domains seem to fail, and only with unbound
> in my testing thus far. Straight bind will return the result.

It works for me using unbound:

paul at bofh:~$ dig +dnssec fkooman.fedorapeople.org

; <<>> DiG 9.9.2-rl.028.23-P1-RedHat-9.9.2-8.P1.fc18 <<>> +dnssec
fkooman.fedorapeople.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65193
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fkooman.fedorapeople.org.	IN	A

;; ANSWER SECTION:
fkooman.fedorapeople.org. 60	IN	A	152.19.134.191
fkooman.fedorapeople.org. 60	IN	RRSIG	A 5 2 60 20130418182632
20130319182632 378 fedorapeople.org.
7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
+ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=

;; AUTHORITY SECTION:
*.fedorapeople.org.	86312	IN	NSEC	fedorapeople.org. A AAAA
RRSIG NSEC
*.fedorapeople.org.	86312	IN	RRSIG	NSEC 5 2 86400
20130418182632 20130319182632 378 fedorapeople.org.
8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=

;; Query time: 127 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 20 20:38:16 2013
;; MSG SIZE  rcvd: 461


> My guess is that it has to do with the *.fedorapeople.org record, but I
> am no expert, or perhaps DLV plays into it? There aren't a great deal of
> sites that I know of to compare this to.
>
> Can anyone else confirm or deny this issue with their unbound?

The issue, as the bug described it, is that _if_ unbound is configured
to use a bind server as forwarder, that bind needs to have RT#21409
fixed for it to work properly.

Paul