Maintained by: NLnet Labs

Unable to resolv 1 domain

W.C.A. Wijngaards
Thu Apr 6 12:32:19 CEST 2017


Hi Franky,

The domain is DNSSEC bogus.  Unbound says:
validation failure <lkpp.go.id. A IN>: no keys have a DS with algorithm
RSASHA1-NSEC3-SHA1 from 103.13.181.24 for key lkpp.go.id. while building
chain of trust

And dnsviz output also shows it is bogus, here is a link
http://dnsviz.net/d/lkpp.go.id/dnssec/

If you want to make unbound ignore this failure, add to unbound.conf:
domain-insecure: "lkpp.go.id"

Best regards, Wouter

On 06/04/17 12:16, battossai via Unbound-users wrote:
> Hi,
> 
> My Unbound server unable to resolv this domain : lkpp.go.id
> <http://lkpp.go.id>
> In fact i have forward it to other dns server and its domain server.
> 
> But again it is no issue on named.
> Any idea what i have to check ?
> 
> Here is some information :
> 
> [root at ns1smg ~]# dig @103.55.160.20 <http://103.55.160.20> lkpp.go.id
> <http://lkpp.go.id>
> 
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @103.55.160.20
> <http://103.55.160.20> lkpp.go.id <http://lkpp.go.id>
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22042
> 
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> 
> 
> ;; QUESTION SECTION:
> 
> ;lkpp.go.id <http://lkpp.go.id>.INA
> 
> 
> ;; ANSWER SECTION:
> 
> lkpp.go.id <http://lkpp.go.id>.604800INA103.206.244.234
> 
> 
> ;; AUTHORITY SECTION:
> 
> lkpp.go.id <http://lkpp.go.id>.604800INNSns2.lkpp.go.id
> <http://ns2.lkpp.go.id>.
> 
> lkpp.go.id <http://lkpp.go.id>.604800INNSns1.lkpp.go.id
> <http://ns1.lkpp.go.id>.
> 
> 
> ;; ADDITIONAL SECTION:
> 
> ns1.lkpp.go.id <http://ns1.lkpp.go.id>.604800INA103.13.181.24
> 
> ns2.lkpp.go.id <http://ns2.lkpp.go.id>.604800INA103.55.160.20
> 
> 
> ;; Query time: 9 msec
> 
> ;; SERVER: 103.55.160.20#53(103.55.160.20)
> 
> ;; WHEN: Thu Apr  6 17:14:58 2017
> 
> ;; MSG SIZE  rcvd: 112
> 
> 
> 
> On my unbound server :
> 
> [root at ns1smg ~]# dig @111.68.27.3 <http://111.68.27.3> lkpp.go.id
> <http://lkpp.go.id>
> 
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @111.68.27.3
> <http://111.68.27.3> lkpp.go.id <http://lkpp.go.id>
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41327
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> 
> ;; QUESTION SECTION:
> 
> ;lkpp.go.id <http://lkpp.go.id>.INA
> 
> 
> ;; Query time: 9 msec
> 
> ;; SERVER: 111.68.27.3#53(111.68.27.3)
> 
> ;; WHEN: Thu Apr  6 17:14:34 2017
> 
> ;; MSG SIZE  rcvd: 28
> 
> 
> 
> Regards,
> Franky Yu
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170406/e1b5ccf6/attachment.sig>