Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Jan Včelák
Tue Feb 3 16:27:43 CET 2015


Hello list,

I'm running Fedora 21 with dnssec-trigger and unbound 1.5.1. The unbound is 
configured by the dnssec-trigger to forward all queries to a local-network 
validating resolver provided by DHCP.

With this configuration, unbound incorrectly recognizes the fedorapeople.org 
domain as bogus. The domain uses DLV, which I guess might cause the problem.

% kdig @::1 jvcelak.fedorapeople.org        
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 54325
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; jvcelak.fedorapeople.org.		IN	A

;; Received 42 B
;; Time 2015-02-03 16:12:33 CET
;; From ::1 at 53(UDP) in 0.1 ms
; Warning: failed to query server ::1 at 53(UDP)

% sudo unbound-control list_forwards
. IN forward x.x.x.x

With +cd, the resolution works. And resolution via the upstream resolver 
x.x.x.x works as well. The upstream resolver runs BIND 9.9.6-P1.

When I disable the forwarding, the resolution starts to work again:

% sudo unbound-control forward_remove .  
ok

% kdig @::1 +short jvcelak.fedorapeople.org 
152.19.134.191


Is this a bug in Unbound or is my configuration incorrect?

Best regards!

Jan