Maintained by: NLnet Labs

[Unbound-users] Strange validation failures for some wildcard CNAMEs

Ondřej Caletka
Mon Sep 22 12:58:23 CEST 2014


Dne 17.9.2014 16:05, Ondřej Caletka napsal(a):
> Hi,
> 
> I'm having an issue with validating particular domain names:
> 
> $ dig _25._tcp.mail.relia-pc.cz tlsa
> $ dig _443._tcp.kinderporno.cz tlsa
>  - validates with BIND, fails with Unbound 1.4.21
>  - unbound-host says that cname proof failed
> 
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.
> 

Hello again,

I think I've found answer in DANE WG ML:
http://www.ietf.org/mail-archive/web/dane/current/msg06960.html

Looks like the issue is actually caused by bad wildcard DNSSEC
processing in djbdns.

Thanks for help.

--
Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140922/8bae1a20/attachment.bin>