Maintained by: NLnet Labs

Unbound and DNSSEC - different answers from 1.4.22 and 1.5.6

Casey Deccio
Wed Nov 25 17:08:39 CET 2015


On Wed, Nov 25, 2015 at 10:19 AM, Aleš Rygl <unbound-users at unbound.net>
wrote:

> I am running Unbound 1.4.22 on Debian 7.9 for production and  have also
> installed  Unbound 1.5.6-1 on Debian 8.2. Both are validating with nearly
> identical config.
>

In the 1.5.5 release, the following default behavior changed:

- Change default of harden-algo-downgrade to off. This is lenient for
  algorithm rollover.

(https://www.unbound.net/pipermail/unbound-users/2015-October/004055.html)

>From the unbound.conf man page:

harden-algo-downgrade - Harden  against algorithm downgrade when multiple
algorithms are advertised in the DS record.  If no, allows  the  weakest
 algorithm  to validate the zone.  Default is no.  Zone signers must
produce zones that allow this feature  to  work,  but  sometimes they  do
not, and turning this option off avoids that validation failure.

(https://www.unbound.net/documentation/unbound.conf.html)

> According to the dnsviz.net  the domain seems to be DNSSEC broken.
>

Well, "broken" might be strong, but it has errors on the signer side
because the RRsets are signed by only one of the algorithms that appear in
the DS RRset:

http://dnsviz.net/d/mikulasske.cz/VlXMmQ/dnssec/

There is a validation path using one of the algorithms, but because it is
not signed with both, unbound will only validate it if
harden-algo-downgrade is off.  Again, the default behavior changed between
versions, which explains why validation works for one and not for the other.

Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20151125/39c968fe/attachment.html>