wildcard dnssec test fails

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Dec 15 08:08:52 UTC 2017


Hi Sebastian, Viktor,

On 15/12/17 01:26, Viktor Dukhovni via Unbound-users wrote:
> On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote:
> 
>> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill
>> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this
>> (http://0skar.cz/dns/en) test site where it reports three failures (2a,
>> 2b and 4). Any help would be appreciated.
> 
> The zone's signatures are weird:
> 
>     $ unbound-host -f /usr/local/etc/unbound/root.key -v www.wilda.nsec.0skar.cz

When I run unbound-host, I get no errors,
./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz -f
root.key -v -t A
www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz has address
85.239.227.179 (secure)

Unbound performs serial arithmatic on the timestamps in the rrsig,
according to RFC.

(What does that mean?  The timestamps are 32bit in the RRSIG, but the
value is interpreted relative to the current date.  And what you cannot
do is express something like a point more than some number of years
future or past.)

Best regards, Wouter

>     ...
>     validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain of trust
>     ...
> 
>     $ dig +noall +ans +nocl +nottl +nosplit +cd +dnssec -t a www.wilda.nsec.0skar.cz
>     www.wilda.nsec.0skar.cz. CNAME  flexi.oskarcz.net.
>     www.wilda.nsec.0skar.cz. RRSIG  CNAME 10 5 300 20800101000000 20140130121330 28887 nsec.0skar.cz. ...
>     flexi.oskarcz.net.      A       85.239.227.179
>     flexi.oskarcz.net.      RRSIG   A 10 3 3600 20180108024403 20171209024403 31880 oskarcz.net. ...
> 
> Note the RRSIG dates for the CNAME:
> 
>     Inception:  20140130121330
>     Expiration: 20800101000000
> 
> Perhaps unbound is comparing these as 32-bit timestamps.  Just
> under 66 years is an impressive validity range, if intentional.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171215/4b2edcc8/attachment.bin>


More information about the Unbound-users mailing list