Maintained by: NLnet Labs

[Unbound-users] Strange validation failures for some wildcard CNAMEs

Casey Deccio
Wed Sep 17 18:27:06 CEST 2014


On Wed, Sep 17, 2014 at 10:05 AM, Ondřej Caletka <ondrej at caletka.cz> wrote:

> I'm having an issue with validating particular domain names:
>
> $ dig _25._tcp.mail.relia-pc.cz tlsa
> $ dig _443._tcp.kinderporno.cz tlsa
>  - validates with BIND, fails with Unbound 1.4.21
>  - unbound-host says that cname proof failed
>
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.
>
>
I don't immediately see anything wrong with the complete names above.  But
I can see that BIND and unbound both are failing validation for _
tcp.kinderporno.cz.  I am wondering if this is perhaps due to incorrect
handling of NSEC records associated with wildcards.

$ dig +dnssec +noall +authority @ns.forpsi.it _tcp.kinderporno.cz | grep
NSEC | head -1
default._domainkey.kinderporno.cz. 3600    IN NSEC    _jabber._
tcp.kinderporno.cz. TXT RRSIG NSEC

The NSEC record returned doesn't prove that the name doesn't exist
(NXDOMAIN) because the name (_tcp.kinderporno.cz) is in fact an ancestor of
the next field of the NSEC record (_jabber._tcp.kinderporno.cz), as an
empty non-terminal.  But that proof is not required for wildcard, only for
NXDOMAIN status.

But that doesn't explain why unbound would be failing validation on _443._
tcp.kinderporno.cz, unless it is performing validation of _
tcp.kinderporno.cz along the way.

Just a guess.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140917/c35fd4fd/attachment.html>