Maintained by: NLnet Labs

SRVFAIL with forward-zone in secured zone

W.C.A. Wijngaards
Tue Aug 18 13:59:27 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Over,

On 18/08/15 13:20, Over Dexia via Unbound-users wrote:
> Hello,
> 
> If this is a double post, I'm sorry. I just have no way of checking
> if this request arrived at the list (I didn't get a copy, that much
> I know). Maybe if someone could at least confirm that it arrived?
> 
> Here the original text:
> 
> Lately I started implementing dnssec, which starts to work now. 
> However, it seems the overriding and the securing sometimes
> bite...
> 
> I have a zone mydom.de, resolved by nsd3 (with dnssec), on
> localhost port 58. Unbound is configured to use that:
> 
> server: private-domain: mydom.de trust-anchor-file:
> /etc/unbound/mydom.de.anchor stub-zone: name: mydom.de stub-addr:
> 127.0.0.1 at 58
> 
> That works as expected:
> 
> # dig +nocomments +nostats +nocmd dnstest.mydom.de @localhost
> +dnssec ;dnstest.mydom.de. IN A dnstest.mydom.de. 259200 IN A
> 10.10.99.99 dnstest.mydom.de. 259200 IN RRSIG A 8 3 259200 
> 20150814014637 20150807095151 30514 mydom.de. 
> QwIlVNcRCVmdoNagH1/oY3DWVIJ+IMYILIz+ceEf93LPd4Ba81Gq73b4 
> 31X6A33ZGxJLPIpIwP/W/AiRFmxgDrVgBeOAqHk70/7MrtttS71XFPmJ 
> eJcd/v4XWUCLAJJ3QckFQpXoKror4updVO04pY9py1f5iI6GhRry0ANO 9Z4= ...
> 
> But I also need to have one host of that domain resolved by an
> external nameserver (not under my control). So I used:
> 
> forward-zone: name: 'www.mydom.de' forward-addr: 9.9.90.9
> 
> Which worked nicely, before I used dnssec.
> 
> But now:
> 
> # dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec 
> ;www.mydom.de. IN A
> 
> I get resolution if I use cdflag:
> 
> # dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec 
> +cdflag ;www.mydom.de. IN A www.mydom.de. 83904 IN A 9.9.90.9
> 
> If I use some other host (windows here) or a simple lookup without 
> dnssec, I get a SRVFAIL resp. NXDOMAIN:
> 
> C:\>nslookup www.mydom.de 10.10.10.6 Server: illgner.mydom.de 
> Address: 10.10.10.6
> 
> *** illgner.mydom.de can't find www.mydom.de: Server failed
> 
> # nslookup www.mydom.de localhost                             ;;
> Got SERVFAIL reply from 127.0.0.1, trying next server Server:
> localhost Address:        127.0.0.1#53
> 
> ** server can't find www.mydom.de: NXDOMAIN
> 
> 
> Now I do get that unbound is unable to deliver a correctly signed
> record for www.mydom.de, but what I don't understand is, why
> doesn't unbound deliver an unsigned / unsecured record from a
> forward-zone on an ordinary request?
> 
> It does work like that if I use local-data instead of
> forward-zone: local-data: 'www.mydom.de IN A 9.9.90.9'
> 
> # dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec 
> ;www.mydom.de.                  IN      A www.mydom.de.
> 3600    IN      A       9.9.90.9
> 
> (same for nslookup like above.)
> 
> So in general, unbound is able to deliver insecure records of
> secure zones using local-data, but not with forward-zones.

Yes, this is because the local-data is checked before resolution is
performed.  It does not perform validation because that code is not
started yet.  The forward and stub zones change the way resolution
works, and those also have dnssec validation.

You need domain-insecure: "mydom.de"  to make this work with forward
and stub zones.

> 
> I also tried to do something like domain-insecure: www.mydom.de ,
> but that was flagged as a syntax error in the configuration file.

Fix the syntax error, that seems to be your problem.

Best regards, Wouter


> 
> Is it possible to get insecure records from forward-zones
> delivered, just like with local-data?
> 
> 
> 
> Thanks for any insights in advance, jo
> 
> 
> 
> PS: Some maybe helpful unbound-host output:
> 
> 
> Using forward-zone:
> 
> # unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v 
> www.mydom.de. has address 9.9.90.9 (BOGUS (security failure)) 
> validation failure <www.mydom.de. A IN>: covering NSEC3 was not
> opt-out in an opt-out DS NOERROR/NODATA case from 127.0.0.1 for DS
> www.mydom.de. while building chain of trust ...
> 
> With local-data entry:
> 
> # unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v 
> www.dexia.de. has address 9.9.90.9 (insecure) www.dexia.de. has no
> IPv6 address (insecure) www.dexia.de. has no mail handler record
> (insecure)
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV0x4fAAoJEJ9vHC1+BF+NRcAP/iINBcBOIOgjZHyS4rH+aI30
A6yti+xNRqKO70aD9LcekpM1brpVTdw5X99FfIim2b2o5kbUfPlLepKbzp3xGx2u
35JAO/v1kLBzAoTEUCqiSInSaVCabP4Y6XKt31mbxhz8oe/hwOMg6hTcY1RIdOlG
q41vPVmw+hGfUu61H8wHWFG1FuvaFQQwtiAUuUNopCB/cAhWWJHznWIE9X0vid18
aoeSWbIZhlzPrv9XBNVwkTgH7GDKfGwrk3rhk6Gsj8Ap27zd9M5IvFswQ4zPWOPy
Tl3bu3ff/HyjlVMCLF6aDR+WykC2CRuWvC01E4NxkzkddKEYC4wddtgRUiAmKaul
0C2IfU5rJH2CzLG5T9GB97i+ap9b421Wy/9SrvI5yYUdux271aIF2H9EJ7hd+xPH
7udtKl1xK49KhLhSKfM95UqqVjSy/zl56loCJpe9/v85VAF1Wa495aWzXJRHITHs
xs9Z9+uP3jawBuLM4R6b/YQwX4mbmKxaR5bdBhD4t8iGAdNfc1Ped7oQFoYNLaR/
utyYwWOHngAvLNOK5O8BfYG6wyURQSkjPNEohd2keh5To6tUna0CNrP81apCZusC
4TXIdpJKRXGCdzR5Nm54aMOVg3eFpnMg3ft+WW/6Dnp5POC27wHWnTLsnTClX0Zl
YcCAzwCKc7MSYZPXdtI4
=Etq7
-----END PGP SIGNATURE-----