Maintained by: NLnet Labs

[Unbound-users] DLV anchor and unsigned domains

W.C.A. Wijngaards
Thu Mar 27 16:40:04 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alan,

Can you provide details logs about what happens when you query
carnet.hr and get SERVFAIL?  Like, with verbosity 4, val-log-level: 2.
 That should also printout a reason for the servfail in the logs.  If
it works for bind, then the bug must be in unbound.

Best regards,
   Wouter

On 03/27/2014 03:51 PM, Alan Jurcic wrote:
> On 27.03.14 at 15:14, W.C.A. Wijngaards wrote:
>> 
>> If your DLV provider does not answer, the security status of
>> every domain not in cache cannot be determined.  It must
>> therefore be withheld from the poor user.  Did you configure a
>> non-working dlv domain?
>> 
> 
> Hi Wouter,
> 
> DLV validation is working for the domain with the DLV record in my
> DLV zone, but everything unsigned is automatically bogus. I have
> the same DLV configured in bind resolver and it works fine there:
> root anchor is checked first, then DLV and if neither contains
> DS/DLV for the domain then the domain is unsigned and answer is 
> returned to the client.
> 
> 
> Querying signed domain with DLV anchor:
> 
> $ dig sec.tst.hr @193.198.241.11 # bind resolver ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2537 ;; flags: qr
> rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> $ dig sec.tst.hr @193.198.241.48 # unbound resolver ;; Got answer: 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38124 ;; flags:
> qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> 
> Querying signed domain with root anchor:
> 
> $ dig nlnetlabs.nl @193.198.241.11 # bind resolver ;; Got answer: 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43298 ;; flags:
> qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
> 
> $ dig nlnetlabs.nl @193.198.241.48 # unbound resolver ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30066 
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3,
> ADDITIONAL: 4
> 
> 
> The issue comes up when I query unsigned domain:
> 
> $ dig carnet.hr @193.198.241.11 # bind resolver ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26035 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
> 
> $ dig carnet.hr @193.198.241.48 # unbound resolver ;; Got answer: 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36322 ;;
> flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> 
> Hope that helps :)
> 
> Alan
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTNEZUAAoJEJ9vHC1+BF+N7WUP/2OvOmJmXMr1Lh053lGxJ6e1
8eo8przqP+sTVHykS+Opl9eifQMwjjy6W7Yuk+NrvosmRC9vJTrdhLG5ftcSoYdf
P962YPpXDs7m+zRWk6W3sBcMIfI8h9tmBO+dMMOo/DkH8OKQwokA6nZ5ZDe+WfmO
gJm5JpGaWdOv1EbLG7/EXOJ0Lpk5i7okUrKsnVDzPyGprHydAMJMpE0Z365HmeTT
586qt5U5hOO85xJSLO4NprGfi7MPEgNuFmrGY2gT4hQp6Z47U3UYqBiDUyZ/TKm9
msm8d3i+0I1BbXhHnAwudpgDlb3xJ9hcTFRyX3RY9l7Ojo6AzGg7PNuZ9c6YWbEO
f2jc5OX6gnwDYXH78P56bPaXZ0jOBUAX9TVCTrShnm2cCXemqDLVHH1tJPX562x7
WfDH9bV8gqYZpGNkdb7Bt40JU7PPMfUyJGZs+UntTYzpm+bwf5AIsxurOHdgl/ea
6KxYzF1DOXQSHf1GIRDZ53KS3MkDvlumfl84666rLEFjbJCDA4POJKSHS/f40oPJ
L27GbmjK7a6dh81poi+6JrfSR+tW5O9tpb+CGFQvLJbBwMVqQy2denyIh4OMiZcZ
xCGfgP0jRaWXmLv1cO+E7C1U3IJScLII0TkKq+uzk9XEFuu5/muSOGA3dg16yjnE
nOE2Ck37ebIWckkNKKfX
=k2PB
-----END PGP SIGNATURE-----