Maintained by: NLnet Labs

[Unbound-users] Possible unbound bug with wild card results

Erinn Looney-Triggs
Thu Mar 21 02:42:17 CET 2013


On 03/20/2013 06:39 PM, Paul Wouters wrote:
> On Wed, 20 Mar 2013, Erinn Looney-Triggs wrote:
> 
>> There is a bugzilla open about a similar
>> issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my
>> reading it looks like it went off in another direction.
>>
>> The issue I am running into comes in when resolving fedorapeople.org
>> domains which are DLV signed. Specifically fkooman.fedorapeople.org but
>> any other *.fedorapeople.org domains seem to fail, and only with unbound
>> in my testing thus far. Straight bind will return the result.
> 
> It works for me using unbound:
> 
> paul at bofh:~$ dig +dnssec fkooman.fedorapeople.org
> 
> ; <<>> DiG 9.9.2-rl.028.23-P1-RedHat-9.9.2-8.P1.fc18 <<>> +dnssec
> fkooman.fedorapeople.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65193
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;fkooman.fedorapeople.org.    IN    A
> 
> ;; ANSWER SECTION:
> fkooman.fedorapeople.org. 60    IN    A    152.19.134.191
> fkooman.fedorapeople.org. 60    IN    RRSIG    A 5 2 60 20130418182632
> 20130319182632 378 fedorapeople.org.
> 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
> k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
> +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=
> 
> ;; AUTHORITY SECTION:
> *.fedorapeople.org.    86312    IN    NSEC    fedorapeople.org. A AAAA
> RRSIG NSEC
> *.fedorapeople.org.    86312    IN    RRSIG    NSEC 5 2 86400
> 20130418182632 20130319182632 378 fedorapeople.org.
> 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
> 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
> MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=
> 
> ;; Query time: 127 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Mar 20 20:38:16 2013
> ;; MSG SIZE  rcvd: 461
> 
> 
>> My guess is that it has to do with the *.fedorapeople.org record, but I
>> am no expert, or perhaps DLV plays into it? There aren't a great deal of
>> sites that I know of to compare this to.
>>
>> Can anyone else confirm or deny this issue with their unbound?
> 
> The issue, as the bug described it, is that _if_ unbound is configured
> to use a bind server as forwarder, that bind needs to have RT#21409
> fixed for it to work properly.
> 
> Paul

Paul,
Thanks for taking a look I appreciate your time. It looks like the
problem is a combination of unbound, dnssec-trigger, and bind.

My lack of understanding of dnssec-trigger also played a large part. So
it looks like dnssec-trigger sets . to forward to the upstream DNS
resolver if DHCP dns addresses are available for use.

So in my case it looks like my ISP is running bind and this in turn
creates the issue for me.

After running unbound-control forward_remove . I was able to resolve the
address as I should.

Thanks again for checking and for updating the bug,

-Erinn



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130320/bcf7884e/attachment.sig>