Maintained by: NLnet Labs

SRVFAIL with forward-zone in secured zone

Over Dexia
Tue Aug 18 13:20:06 CEST 2015


Hello,

If this is a double post, I'm sorry. I just have no way of checking if
this request arrived at the list (I didn't get a copy, that much I
know). Maybe if someone could at least confirm that it arrived?

Here the original text:

Lately I started implementing dnssec, which starts to work now.
However, it seems the overriding and the securing sometimes bite...

I have a zone mydom.de, resolved by nsd3 (with dnssec), on localhost
port 58. Unbound is configured to use that:

server:
	private-domain: mydom.de
	trust-anchor-file: /etc/unbound/mydom.de.anchor
stub-zone:
	name: mydom.de
	stub-addr: 127.0.0.1 at 58

That works as expected:

# dig +nocomments +nostats +nocmd dnstest.mydom.de @localhost +dnssec
;dnstest.mydom.de. IN A
dnstest.mydom.de. 259200 IN A 10.10.99.99
dnstest.mydom.de. 259200 IN RRSIG A 8 3 259200
20150814014637 20150807095151 30514 mydom.de.
QwIlVNcRCVmdoNagH1/oY3DWVIJ+IMYILIz+ceEf93LPd4Ba81Gq73b4
31X6A33ZGxJLPIpIwP/W/AiRFmxgDrVgBeOAqHk70/7MrtttS71XFPmJ
eJcd/v4XWUCLAJJ3QckFQpXoKror4updVO04pY9py1f5iI6GhRry0ANO 9Z4=
...

But I also need to have one host of that domain resolved by an external
nameserver (not under my control). So I used:

forward-zone:
name: 'www.mydom.de'
forward-addr: 9.9.90.9

Which worked nicely, before I used dnssec.

But now:

# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
;www.mydom.de. IN A

I get resolution if I use cdflag:

# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
+cdflag
;www.mydom.de. IN A
www.mydom.de. 83904 IN A 9.9.90.9

If I use some other host (windows here) or a simple lookup without
dnssec, I get a SRVFAIL resp. NXDOMAIN:

C:\>nslookup www.mydom.de 10.10.10.6
Server: illgner.mydom.de
Address: 10.10.10.6

*** illgner.mydom.de can't find www.mydom.de: Server failed

# nslookup www.mydom.de localhost                             ;; Got
SERVFAIL reply from 127.0.0.1, trying next server
Server:         localhost
Address:        127.0.0.1#53

** server can't find www.mydom.de: NXDOMAIN


Now I do get that unbound is unable to deliver a correctly signed record
for www.mydom.de, but what I don't understand is, why doesn't unbound
deliver an unsigned / unsecured record from a forward-zone on an
ordinary request?

It does work like that if I use local-data instead of forward-zone:
local-data: 'www.mydom.de IN A 9.9.90.9'

# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
;www.mydom.de.                  IN      A
www.mydom.de.           3600    IN      A       9.9.90.9

(same for nslookup like above.)

So in general, unbound is able to deliver insecure records of secure
zones using local-data, but not with forward-zones.

I also tried to do something like
domain-insecure: www.mydom.de
, but that was flagged as a syntax error in the configuration file.

Is it possible to get insecure records from forward-zones delivered,
just like with local-data?



Thanks for any insights in advance, jo



PS: Some maybe helpful unbound-host output:


Using forward-zone:

# unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v
www.mydom.de. has address 9.9.90.9 (BOGUS (security failure))
validation failure <www.mydom.de. A IN>: covering NSEC3 was not opt-out
in an opt-out DS NOERROR/NODATA case from 127.0.0.1 for DS www.mydom.de.
while building chain of trust
...

With local-data entry:

# unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v
www.dexia.de. has address 9.9.90.9 (insecure)
www.dexia.de. has no IPv6 address (insecure)
www.dexia.de. has no mail handler record (insecure)