Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Paul Wouters
Wed Feb 4 04:27:34 CET 2015


On Wed, 4 Feb 2015, Jan Včelák wrote:

> info: validation failure <jvcelak.fedorapeople.org. A IN>: no signatures
> for <fedorapeople.org. NS IN> from x.x.x.x

> After inspecting responses from BIND and Unbound, I belive this is
> caused by BIND adding a NS RRs without a RRSIG added into the authority
> section of the answer.

> BIND:
>
> % kdig +dnssec @x.x.x.x jvcelak.fedorapeople.org A
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59967
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 6; ADDITIONAL: 7
>
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
>
> ;; QUESTION SECTION:
> ;; jvcelak.fedorapeople.org.		IN	A
>
> ;; ANSWER SECTION:
> jvcelak.fedorapeople.org.	3600	IN	A	152.19.134.191
> jvcelak.fedorapeople.org.	3600	IN	RRSIG	A 5 2 3600 ...
>
> ;; AUTHORITY SECTION:
> *.fedorapeople.org. 	3600	IN	NSEC	fedorapeople.org. ...
> *.fedorapeople.org. 	3600	IN	RRSIG	NSEC 5 2 86400 ...
> fedorapeople.org.   	33297	IN	NS	ns02.fedoraproject.org.
> ...
>
> ;; ADDITIONAL SECTION:
> ns02.fedoraproject.org.	48697	IN	A	152.19.134.139
> ns02.fedoraproject.org.	48697	IN	AAAA	...
> ...

I would expect unbound to just clean/ignore any additional data that comes
without RRSIG. If not, that would be a bug.

note that my old bind97 I have running on an old nameserver also returns
data without the AD bit set. But I think 9.7 is known to have some
issues with wildcards and CNAMEs.

Paul