Maintained by: NLnet Labs

[Unbound-users] Issue Resolving "packagist.org"

Casey Deccio
Tue Jan 6 22:47:20 CET 2015


On Tue, Jan 6, 2015 at 4:10 PM, Paul Niemi <paul.niemi at tbaytel.com> wrote:

> Hello,
>
> We are an ISP, and experiencing an issue looking up "packagist.org", with
> unbound version 1.4.17 on Debian linux  When we have DNSSEC enabled (our
> normal configuration), and make a query for "packagist.org", we get a
> reply that it does not exist (NXDOMAIN).  If we disable the DNSSEC, by
> commenting the "auto-trust-anchor-file" line in the config, then the query
> is successful.  We tried turning up the logging verbosity, but we am not
> sure what all is going on in the log.  Does anyone have any insight into
> what is going on here, or what I should be looking for in the log?  We have
> tried against some other open DNS servers (Google, OpenDNS) and the query
> is successful there, as well.  It just seems to be our unbound DNS server
> with DNSSEC enabled, that fails.
>

Hi Paul,

FWIW, I am unable to reproduce the NXDOMAIN on my own instance of unbound
of the same version and platform:

$ dig +dnssec +noall +answer @localhost packagist.org
packagist.org.        42979    IN    A    87.98.253.214
packagist.org.        42979    IN    RRSIG    A 7 2 43200 20150127124709
20141228124709 36677 packagist.org.
DsdSPygfMm2q0m6bq2Sk/atUQ4qhjh0A/HcjRBU1N5c7pMpTGA23cC7m
pqZXqnCvaZoklh/sP54ImZHM62S5vLLF4hpceXMxIvPhzNQOqQIbveA6
DiiANUA7vVgpxuliAG95OCwKMxqf5u182R5KV6+Q1Wuufo5JKzKfbgJS 8eI=


That being said, the domain has (at least) some issues with consistency
across anycast instances.  ns200 shows two different serials from two
different locations:

client1$ dig +dnssec +noall +answer @ns200.anycast.me packagist.org soa |
awk '$4 ~ /SOA/ { print $7 }'
2014122801
client2$ dig +dnssec +noall +answer @ns200.anycast.me packagist.org soa |
awk '$4 ~ /SOA/ { print $7 }'
2014122800

Likewise, ns200 returns RRSIGs from one location, and not from the other.

client1$ dig +dnssec @ns200.anycast.me packagist.org mx | grep RRSIG | wc -l
1
client2$ dig +dnssec @ns200.anycast.me packagist.org mx | grep RRSIG | wc -l
0

DNSViz sees this too:
http://dnsviz.net/d/packagist.org/VKxTjA/dnssec/

Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150106/73b556c9/attachment-0001.html>