Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Olav Morken
Thu Mar 3 08:58:02 CET 2016


On Wed, Mar 02, 2016 at 16:58:38 +0000, Tony Finch wrote:
> Olav Morken via Unbound-users <unbound-users at unbound.net> wrote:
> >
> >   info: validate(cname): sec_status_secure
> >   info: validate(positive): sec_status_secure
> >   info: message is bogus, non secure rrset uninett.no. NS IN
> >
> > As far as I can tell, the problem here is caused by extra NS-records in
> > the authority-section that do not include the RRSIG element for the
> > NS-records, but I can't really say that for certain.
> 
> This sounds a lot like a problem we discussed last year. See
> https://unbound.net/pipermail/unbound-users/2015-February/003757.html

It look similar, in that it is caused by extra records, but as far as I 
know there shouldn't be any DLV involved here. The uninett.no-zone is 
properly delegated from the parent zone.

I also tested with the most recent version from subversion trunk, which 
includes the fix mentioned in that thread, but got the same result.

> Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> partially bogus answers and should handle them gracefully.

I checked, and it does set the CD-flag. The full dig command line to 
simulate the queries that Unbound sends appear to be:

  dig -4 +qr +noadflag +recurse +cdflag +bufsize=4096 +dnssec pingapi.paas.uninett.no @dns-resolver1.uninett.no

I.e. the packets have the RD, CD and DO flags set.

I grabbed the output from dig yesterday evening. If anyone is curious, I 
uploaded it here:

  https://gist.github.com/olavmrk/c62f099736dbc5ef514a

Best regards,
Olav Morken
UNINETT