Maintained by: NLnet Labs

[Unbound-users] Possible unbound bug with wild card results

W.C.A. Wijngaards
Thu Mar 21 10:20:45 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Erinn,

On 03/20/2013 09:55 PM, Erinn Looney-Triggs wrote:
> There is a bugzilla open about a similar 
> issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from
> my reading it looks like it went off in another direction.
> 
> The issue I am running into comes in when resolving
> fedorapeople.org domains which are DLV signed. Specifically
> fkooman.fedorapeople.org but any other *.fedorapeople.org domains
> seem to fail, and only with unbound in my testing thus far.
> Straight bind will return the result.
> 
> When attempting to resolve I get this in the logs:
> 
> unbound: [1005:1] info: validation failure
> fkooman.fedorapeople.org. A IN

Can you tell me why it failed?  Set val-log-level: 2
or run unbound-host to do the lookup.

When I perform this lookup, it works fine, and uses the isc.org DLV.
This is with latest unbound version.

Best regards,
   Wouter

> Running directly against bind we get the result as expected: dig
> fkooman.fedorapeople.org +dnssec
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> 
> fkooman.fedorapeople.org +dnssec ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589 
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
> ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;fkooman.fedorapeople.org.      IN      A
> 
> ;; ANSWER SECTION: fkooman.fedorapeople.org. 56    IN      A
> 152.19.134.191 fkooman.fedorapeople.org. 56    IN      RRSIG   A 5
> 2 60 20130418182632 20130319182632 378 fedorapeople.org. 
> 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ 
> k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp 
> +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=
> 
> ;; AUTHORITY SECTION: *.fedorapeople.org.     56      IN      NSEC
> fedorapeople.org. A AAAA RRSIG NSEC *.fedorapeople.org.     56
> IN      RRSIG   NSEC 5 2 86400 20130418182632 20130319182632 378
> fedorapeople.org. 
> 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH 
> 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp 
> MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=
> 
> 
> You can get a nice break down of the signing here: 
> http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/
> 
> My guess is that it has to do with the *.fedorapeople.org record,
> but I am no expert, or perhaps DLV plays into it? There aren't a
> great deal of sites that I know of to compare this to.
> 
> Can anyone else confirm or deny this issue with their unbound?
> 
> Thanks, -Erinn
> 
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRStDtAAoJEJ9vHC1+BF+Nnn4QALA7YjZj8wbrjRUbGRhEUg01
ynuNKbKVuK13aLMUQ1mW3TA6aAbEMP0+utPma6ngdrnACAXfSMQUQrv0ABjx8hU2
w+azaGWWWICDLDKMhESFE/tQwYFdCOsdo/VnCFI9Vk9eTEV7i+iRpxUKppO9IDnq
TBd2a2T0wFtGxUQUgVhU3L6t6ZffemytUv9zOZVklkWVccNaoLwcXIzWQRfvSB5G
JzAa+Jh2Dpt3j9L1Om3eRAM3BmnAjZJpb/VfXuSUnMK+V7WpNq0qm/5So8kyIA5b
//54n6FxNKpn/LAnObruFIwuqIXdyPJcEsPCpKu9CoS+QUd7AcV845UL0Mq4cYhn
PBzCLODUtpqiId2gPEI9DNWTDy6qCsAkL+ZqSUfes7SgRdloOnLg7IHo/JDR/QDp
rkSNOFB2/CpkJE29CxJrmBci/OhIqIuAa0afL4eSGcRDymQM2pyedk+G4kdcRMRg
8aj8hMkxS4GaSI/4KYuXz2AjiapTdYmyYMwND9XQBUZVpbdgh0MEnebtHDpqt5Sf
eU+m0/XaTJNUhIQC8pWWV4cjp9SUsRaqXQgF2gZES9sXOUYgT12zT3kueC0ku01m
IHGQdwM5LRkQV8gNtjwh0ltuBapsg1Y5PcYuTBvJpdOGHOpgHgatszgnCWidvHFk
oIgXQx5+aMvMvUjSxhVe
=EHHU
-----END PGP SIGNATURE-----