Maintained by: NLnet Labs

DNSSEC validaion fail for _25._tcp.eldinhadzic.com

A. Schulze
Fri Jul 15 10:13:17 CEST 2016


Hello,

with unbound-1.5.9, we hit $subject. The domain is signed using algorithm 14.
( http://dnsviz.net/d/_25._tcp.eldinhadzic.com/dnssec/ )

# posttls-finger eldinhadzic.com
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for name=_25._tcp.eldinhadzic.com  
type=TLSA: Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name  
not found. Name service error for name=_25._tcp.eldinhadzic.com  
type=TLSA: Host not found, try again
posttls-finger: Failed to establish session to eldinhadzic.com via  
eldinhadzic.com: TLSA lookup error for eldinhadzic.com:25

unbound logs:
[1468570247] unbound[31749:0] notice: init module 0: validator
[1468570247] unbound[31749:0] notice: init module 1: iterator
[1468570247] unbound[31749:0] info: start of service (unbound 1.5.9).
[1468570251] unbound[31749:0] info: ::1 eldinhadzic.com. MX IN
[1468570251] unbound[31749:0] info: ::1 eldinhadzic.com. A IN
[1468570251] unbound[31749:0] info: ::1 eldinhadzic.com. AAAA IN
[1468570251] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570252] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
176.124.112.100
[1468570252] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570252] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
176.124.112.100
[1468570252] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570252] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
176.124.113.200
[1468570252] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570252] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
176.124.113.200
[1468570252] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570252] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
2a05:b0c1::200
[1468570252] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570253] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
2a05:b0c0::100
[1468570253] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570253] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
176.124.112.100
[1468570253] unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN
[1468570253] unbound[31749:0] info: validation failure  
<_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from  
2a05:b0c1::200

DNSVIZ say it's valid: http://dnsviz.net/d/_25._tcp.eldinhadzic.com/dnssec/
how can I check my unbound could validate such data at all?


# unbound -h
...
Version 1.5.9
linked libs: libevent 2.0.21-stable (it uses epoll), OpenSSL 1.0.1t  3  
May 2016
linked modules: dns64 validator iterator
...

I have also ldns-keygen which at least 'know' about that algorithm:

# ldns-keygen -a list
Possible algorithms:
RSAMD5
RSASHA1
RSASHA1-NSEC3-SHA1
RSASHA256
RSASHA512
ECDSAP256SHA256
ECDSAP384SHA384
DSA
DSA-NSEC3-SHA1
hmac-md5.sig-alg.reg.int
hmac-sha1
hmac-sha256

Andreas