Maintained by: NLnet Labs

SRVFAIL with forward-zone in secured zone

Over Dexia
Tue Aug 18 13:20:06 CEST 2015


If this is a double post, I'm sorry. I just have no way of checking if
this request arrived at the list (I didn't get a copy, that much I
know). Maybe if someone could at least confirm that it arrived?

Here the original text:

Lately I started implementing dnssec, which starts to work now.
However, it seems the overriding and the securing sometimes bite...

I have a zone, resolved by nsd3 (with dnssec), on localhost
port 58. Unbound is configured to use that:

	trust-anchor-file: /etc/unbound/
	stub-addr: at 58

That works as expected:

# dig +nocomments +nostats +nocmd @localhost +dnssec
; IN A 259200 IN A 259200 IN RRSIG A 8 3 259200
20150814014637 20150807095151 30514
eJcd/v4XWUCLAJJ3QckFQpXoKror4updVO04pY9py1f5iI6GhRry0ANO 9Z4=

But I also need to have one host of that domain resolved by an external
nameserver (not under my control). So I used:

name: ''

Which worked nicely, before I used dnssec.

But now:

# dig +nocomments +nostats +nocmd @localhost +dnssec
; IN A

I get resolution if I use cdflag:

# dig +nocomments +nostats +nocmd @localhost +dnssec
; IN A 83904 IN A

If I use some other host (windows here) or a simple lookup without
dnssec, I get a SRVFAIL resp. NXDOMAIN:


*** can't find Server failed

# nslookup localhost                             ;; Got
SERVFAIL reply from, trying next server
Server:         localhost

** server can't find NXDOMAIN

Now I do get that unbound is unable to deliver a correctly signed record
for, but what I don't understand is, why doesn't unbound
deliver an unsigned / unsecured record from a forward-zone on an
ordinary request?

It does work like that if I use local-data instead of forward-zone:
local-data: ' IN A'

# dig +nocomments +nostats +nocmd @localhost +dnssec
;                  IN      A           3600    IN      A

(same for nslookup like above.)

So in general, unbound is able to deliver insecure records of secure
zones using local-data, but not with forward-zones.

I also tried to do something like
, but that was flagged as a syntax error in the configuration file.

Is it possible to get insecure records from forward-zones delivered,
just like with local-data?

Thanks for any insights in advance, jo

PS: Some maybe helpful unbound-host output:

Using forward-zone:

# unbound-host -C /etc/unbound/unbound.conf -v has address (BOGUS (security failure))
validation failure < A IN>: covering NSEC3 was not opt-out
in an opt-out DS NOERROR/NODATA case from for DS
while building chain of trust

With local-data entry:

# unbound-host -C /etc/unbound/unbound.conf -v has address (insecure) has no IPv6 address (insecure) has no mail handler record (insecure)