Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Jan Včelák
Wed Feb 4 13:05:48 CET 2015


> It looks like the bug in BIND is due to a combination of an unsigned NS
> RRset that came from a referral, and validation turned off. I can't
> reproduce the bug with my validating resolvers with a normal query but it
> does occur if I set the CD bit.

I don't have access to the BIND server, so I don't know how exactly the server 
is configured and which patches are applied. I know just what version.bind 
TXT/CH reports.

The server performs validation, but DLV seems to be disabled. I get SERVFAIL 
for incorrectly signed domains. But AD flag is cleared for fedorapeople.org.

I have also noticed something else: If I explicitly ask BIND for the NS 
records with +dnssec, the server starts putting the missing NS RRSIG into the 
subsequent queries for jvcelak.fedorapeople.org.

So if NS RRSIG is in BINDs cache, then validation via Unbound works.

> Are you going to send this in to bind9-bugs at isc.org or would you like me
> to do it?

I can provide only partial information about the BIND. So if you managed to 
reproduce the problem, I would appreciate, if you could send the report. Feel 
free to CC me.

As for Unbound, I believe that evaluating the resolution as bogus is too 
strict.

Thanks for helping me to find the problem, everyone.

Best regards.

Jan