Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Jan Včelák
Wed Feb 4 01:51:07 CET 2015


Hello again.

I made some additional research...

> % kdig @::1 jvcelak.fedorapeople.org
> ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 54325
> % sudo unbound-control list_forwards
> . IN forward x.x.x.x

With val-log-level 2, I found the follwing:

info: validation failure <jvcelak.fedorapeople.org. A IN>: no signatures
for <fedorapeople.org. NS IN> from x.x.x.x

I fired up a second Unbound, configured it to perform the resolution
from root, set it up in place of the x.x.x.x, flushed the cache, and the
validation started to work.

After inspecting responses from BIND and Unbound, I belive this is
caused by BIND adding a NS RRs without a RRSIG added into the authority
section of the answer.

Unbound:

% kdig +dnssec @127.0.0.2 jvcelak.fedorapeople.org A
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 802
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 2; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION:
;; jvcelak.fedorapeople.org.		IN	A

;; ANSWER SECTION:
jvcelak.fedorapeople.org.	3585	IN	A	152.19.134.191
jvcelak.fedorapeople.org.	3585	IN	RRSIG	A 5 2 3600 ...

;; AUTHORITY SECTION:
*.fedorapeople.org. 	86385	IN	NSEC	fedorapeople.org. ...
*.fedorapeople.org. 	86385	IN	RRSIG	NSEC 5 2 86400 ...

;; Received 461 B
;; Time 2015-02-04 01:12:51 CET
;; From 127.0.0.2 at 53(UDP) in 0.1 ms

BIND:

% kdig +dnssec @x.x.x.x jvcelak.fedorapeople.org A
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59967
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 6; ADDITIONAL: 7

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION:
;; jvcelak.fedorapeople.org.		IN	A

;; ANSWER SECTION:
jvcelak.fedorapeople.org.	3600	IN	A	152.19.134.191
jvcelak.fedorapeople.org.	3600	IN	RRSIG	A 5 2 3600 ...

;; AUTHORITY SECTION:
*.fedorapeople.org. 	3600	IN	NSEC	fedorapeople.org. ...
*.fedorapeople.org. 	3600	IN	RRSIG	NSEC 5 2 86400 ...
fedorapeople.org.   	33297	IN	NS	ns02.fedoraproject.org.
...

;; ADDITIONAL SECTION:
ns02.fedoraproject.org.	48697	IN	A	152.19.134.139
ns02.fedoraproject.org.	48697	IN	AAAA	...
...

;; Received 674 B
;; Time 2015-02-04 01:11:12 CET
;; From x.x.x.x at 53(UDP) in 93.0 ms

I don't know why BIND is adding the NS into the answer. But I think this
is really a problem of BIND, as per
http://tools.ietf.org/html/rfc4035#section-3.1.1:

>    o  When placing a signed RRset in the Authority section, the name
>       server MUST also place its RRSIG RRs in the Authority section.
>       The RRSIG RRs have a higher priority for inclusion than any other
>       RRsets that may have to be included.  If space does not permit
>       inclusion of these RRSIG RRs, the name server MUST set the TC bit.

Please, can somebody confirm that my assumptions are right?

Thanks and regards,

Jan