message is bogus, non secure rrset with Unbound as local caching resolver

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Mar 2 20:14:56 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Havard,

On 02/03/16 20:20, Havard Eidnes via Unbound-users wrote:
>>> Unfortunately, the BIND server only tends to return responses
>>> where the authority-section has NS-records but no RRSIG-record 
>>> during the night.  I suspect it has something to do with 
>>> traffic levels and what other systems are accessing it. It 
>>> makes it all a bit hard to troubleshoot.  The main source of 
>>> information for troubleshooting has been a combination of 
>>> PCAP-files and log files.
>> 
>> Are you sure this is not the bind wildcard bug? Can you try to
>> resolve something like pwouters.fedorahosted.org. That's an
>> expanded wildcard.
> 
> A couple of responses to an 'a' query for this name follows 
> attached below.  In both cases you'll see the Authority section 
> contains the NS RRSET but not the RRSIG covering the NS RRSET, 
> something we're not quite sure is "right" (but have not yet found 
> the scripture on), and which Olav suspects is triggering Unbound to
> be unhappy about the response.

The "right" thing is to have RRSIGs for all elements of the answer and
authority sections.  This is mandated by RFC4034,4035.  All the RRsets
in the answer and authority section MUST validate to mark the response
as valid.

That contradicts explicitly your idea to keep valid parts surrounded
by invalid parts.

I think it is a bug in BIND that it transmits the NS set without its
RRSIGs in the authority section (in a reply that is not a referral).

However, I think it is not unreasonable to extend the compatibility
code in Unbound for this.  The error that Olav quotes is simply
Unbound enforcing that 'all RRsets MUST validate' rule, telling you
which one failed.  The NS set is gratuitous though, in the answer,
hence perhaps compatibility is an option.  Not so, for, say, NSEC or
SOA RRs.

Best regards, Wouter

> 
>> If so, this is the same bug as:
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=824219
> 
> You mean the ISC RT#21409 which is mentioned in there, or something
> else?  The recursor Olav's machine is forwarding to 
> (oliven.uninett.no) is running BIND 9.9.8-P2, and according to its
> CHANGES file, that bug was squashed in the run-up to 9.9.3b2:
> 
> 3444.   [bug]           The NOQNAME proof was not being returned
> from cached insecure responses. [RT #21409]
> 
> Or is "the bind wildcard bug" something else?  If so please provide
> more information.
> 
> Best regards,
> 
> - Håvard
> 
> 
> 
> : {12} ; dig pwouters.fedorahosted.org. a +dnssec
> 
> ; <<>> DiG 9.10.2-P4 <<>> pwouters.fedorahosted.org. a +dnssec ;;
> global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
> status: NOERROR, id: 11578 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4,
> AUTHORITY: 5, ADDITIONAL: 6
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;pwouters.fedorahosted.org.     IN      A
> 
> ;; ANSWER SECTION: pwouters.fedorahosted.org. 60   IN      CNAME
> hosted03.fedoraproject.org. pwouters.fedorahosted.org. 60   IN
> RRSIG   CNAME 5 2 60 20160331192054 20160301192054 39900
> fedorahosted.org.
> P91FaEGxGv2Yrsdo5eDfhkpJD2zqkkoVkJr6dz9XYl0Y2TBG2FQ1OArv
> wUwu/bbi63LDVXsJqmg+AarvQ/xkB6f0C9Ro5/cnQFgQ0zjhi1/n/R7I
> vdXXYMU3xslNTe5s7U2YfCquHtKti8q6bM/ltxgtD03QJz8OxAIbpiyj 4VQ= 
> hosted03.fedoraproject.org. 267 IN      A       140.211.169.199 
> hosted03.fedoraproject.org. 267 IN      RRSIG   A 5 3 300
> 20160331192053 20160301192053 7725 fedoraproject.org.
> n/lc4F2WKfEnq9kTqjWuBH1YbCjSiFPT1NQuDF9x30BHliC8D6M+EZKC
> Lcx2JVdzi+Gb/DREkp/facfVGsslfGjKfkhl4AL0kDD638I7qhnR8TJp
> D9e+B26xRwORMEDTALc/8KkfPNiBF1rztu2dvVSXR/LsIZd/y/3hyudO Fwk=
> 
> ;; AUTHORITY SECTION: mtn.fedorahosted.org.   60      IN      NSEC
> sssd.fedorahosted.org. A SSHFP RRSIG NSEC mtn.fedorahosted.org.
> 60      IN      RRSIG   NSEC 5 3 86400 20160331192054
> 20160301192054 39900 fedorahosted.org.
> p8tlcTZI3cDVAqlk2pbpGHUmDm/tZJyE2PSQNRJsOGXKnVWdZOs9Xovf
> bvJbsnVpeun9S4BosZ6UytlnX7XPn+jVu4KYZ2DK8tdAhyNOJOyVjTnh
> QJtGgPRWnraHA/hKWYsTpkK3meW2/kZdHsSsJodYeQ4WOhsa681htoYp 3vY= 
> fedoraproject.org.      86367   IN      NS
> ns02.fedoraproject.org. fedoraproject.org.      86367   IN      NS
> ns05.fedoraproject.org. fedoraproject.org.      86367   IN      NS
> ns04.fedoraproject.org.
> 
> ;; ADDITIONAL SECTION: ns02.fedoraproject.org. 86314   IN      A
> 152.19.134.139 ns02.fedoraproject.org. 86314   IN      AAAA
> 2610:28:3090:3001:dead:beef:cafe:fed5 ns05.fedoraproject.org. 86314
> IN      A       85.236.55.10 ns05.fedoraproject.org. 86314   IN
> AAAA    2001:4178:2:1269:dead:beef:cafe:fed5 
> ns04.fedoraproject.org. 86314   IN      A       209.132.181.17
> 
> ;; Query time: 322 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> Wed Mar 02 20:06:31 CET 2016 ;; MSG SIZE  rcvd: 844
> 
> : {13} ; rndc status version: 9.10.2-P4 <id:2754d37> ...
> 
> 
> : {14} ; dig @oliven.uninett.no. pwouters.fedorahosted.org. a
> +dnssec
> 
> ; <<>> DiG 9.10.2-P4 <<>> @oliven.uninett.no.
> pwouters.fedorahosted.org. a +dnssec ; (2 servers found) ;; global
> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> NOERROR, id: 35941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4,
> AUTHORITY: 5, ADDITIONAL: 6
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;pwouters.fedorahosted.org.     IN      A
> 
> ;; ANSWER SECTION: pwouters.fedorahosted.org. 60   IN      CNAME
> hosted03.fedoraproject.org. pwouters.fedorahosted.org. 60   IN
> RRSIG   CNAME 5 2 60 20160331192054 20160301192054 39900
> fedorahosted.org.
> P91FaEGxGv2Yrsdo5eDfhkpJD2zqkkoVkJr6dz9XYl0Y2TBG2FQ1OArv
> wUwu/bbi63LDVXsJqmg+AarvQ/xkB6f0C9Ro5/cnQFgQ0zjhi1/n/R7I
> vdXXYMU3xslNTe5s7U2YfCquHtKti8q6bM/ltxgtD03QJz8OxAIbpiyj 4VQ= 
> hosted03.fedoraproject.org. 300 IN      A       140.211.169.199 
> hosted03.fedoraproject.org. 300 IN      RRSIG   A 5 3 300
> 20160331192053 20160301192053 7725 fedoraproject.org.
> n/lc4F2WKfEnq9kTqjWuBH1YbCjSiFPT1NQuDF9x30BHliC8D6M+EZKC
> Lcx2JVdzi+Gb/DREkp/facfVGsslfGjKfkhl4AL0kDD638I7qhnR8TJp
> D9e+B26xRwORMEDTALc/8KkfPNiBF1rztu2dvVSXR/LsIZd/y/3hyudO Fwk=
> 
> ;; AUTHORITY SECTION: mtn.fedorahosted.org.   60      IN      NSEC
> sssd.fedorahosted.org. A SSHFP RRSIG NSEC mtn.fedorahosted.org.
> 60      IN      RRSIG   NSEC 5 3 86400 20160331192054
> 20160301192054 39900 fedorahosted.org.
> p8tlcTZI3cDVAqlk2pbpGHUmDm/tZJyE2PSQNRJsOGXKnVWdZOs9Xovf
> bvJbsnVpeun9S4BosZ6UytlnX7XPn+jVu4KYZ2DK8tdAhyNOJOyVjTnh
> QJtGgPRWnraHA/hKWYsTpkK3meW2/kZdHsSsJodYeQ4WOhsa681htoYp 3vY= 
> fedoraproject.org.      75130   IN      NS
> ns05.fedoraproject.org. fedoraproject.org.      75130   IN      NS
> ns02.fedoraproject.org. fedoraproject.org.      75130   IN      NS
> ns04.fedoraproject.org.
> 
> ;; ADDITIONAL SECTION: ns02.fedoraproject.org. 73152   IN      A
> 152.19.134.139 ns02.fedoraproject.org. 73152   IN      AAAA
> 2610:28:3090:3001:dead:beef:cafe:fed5 ns04.fedoraproject.org. 73152
> IN      A       209.132.181.17 ns05.fedoraproject.org. 73152   IN
> A       85.236.55.10 ns05.fedoraproject.org. 73152   IN      AAAA
> 2001:4178:2:1269:dead:beef:cafe:fed5
> 
> ;; Query time: 238 msec ;; SERVER:
> 2001:700:0:503::ca53#53(2001:700:0:503::ca53) ;; WHEN: Wed Mar 02
> 20:11:36 CET 2016 ;; MSG SIZE  rcvd: 844
> 
> : {15} ;
> 
> oliven: {9} rndc status version: BIND 9.9.8-P2 (Extended Support
> Version) <id:8f4dc43> ...
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW10nAAAoJEJ9vHC1+BF+NMaEQAI8lK1802BfoPHn31AIc68xi
s9CfSoAEIX3FM9/AQxBEVvtUVe1q37uMg1i50/QtUSW+/ngY40oWAstg9yxHFXWY
mgQul2Du0Nt07AAXpsaHjVwsu5v3IgZmlTFbzswh9tY7q2D8ERztQWHzR9JF//F5
XNgfMTIR7WUziXRdh+BdKR2mgE4zKUIqsisrjJiNOfoewRWTGXD6zlIweI+jKxzx
ISc4cXLdzso/U4f+JVBKHdEvZ3y3XclzEpoJdkUsJXr+tjsxwqfjtC22eEZcWTQg
jvHOzCx4aiTsd9KErnxESRMvZsn0BKZo7fQxGxILONvv+edR8h9mXSMjASXSvCkj
eVQBHhFNQsv4v7k8MzwGcfyaz3Pyjv0T2Wr9lUT6atsIFyeVQte2oFusCpFt6pyF
nyQ/P7C/K4vS8miIhxlsMKjAk+jP12KxTE/cOBSs6ZsELshEVp2kLPo//+Y7T6s/
LE7IscYbEVQXxDPmsaNGPutY5fdcO+tIrM1uJpaJ1Z5L5gI93OL6D6ZOqynzZQku
M8F/691fskYQ4SxAU3Gaoh96GV25mowlJdE2fA4y7dnezRokkX9ozwf0fOTquaSM
7C10tcNfM7wHs/XyNFA16GuXjciOSkBYbXEE982TTSBA/5aupsKhm8Y0sVN1Jcou
viVR4bckVR7uZQ9ZHQkJ
=9lYE
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list