<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi Wouter,<br><br>Thank you for your investigation and explanation. I tried dig +cdflag and it get answers very well. Later, we experienced such kinds of transient problems when using dig only. Since it is not unbound bug, we will ignore them.<br><br>Best,<br>Wendi<br><br><div>> Date: Mon, 2 Dec 2013 09:34:48 +0100<br>> From: wouter@nlnetlabs.nl<br>> To: unbound-users@unbound.net<br>> Subject: Re: [Unbound-users] Persistent validation failure on several sites<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> Hi Wenci,<br>> <br>> I receive answers for them. Your dig contacted unbound itself. You<br>> should set dig +cdflag so you can see the dnssec invalid answers that<br>> unbound has, or set dig to probe the other servers.<br>> <br>> sirius-soft.at seems to have retracted its DS record and is now<br>> insecure - I guess something was wrong for them.<br>> <br>> rellim.com has faulty algorithm rollover - they publish DS records<br>> algorithms 5 and 7, and have DNSKEYs 7 and 8. There are no keys of<br>> type 5... This breaks resolution for unbound. Other software has a<br>> more lenient view on algorithm rollover and keys. And it goes back to<br>> a debate about whether one key is enough or if you want to check all<br>> available algorithms; it advertises algorithm 5 and thus it must<br>> provide a chain of trust for algorithm 5.<br>> <br>> Best regards,<br>> Wouter<br>> <br>> <br>> On 11/29/2013 06:24 PM, Wendi Chen wrote:<br>> > HI All,<br>> > <br>> > We consistently receive the following unbound logs:<br>> > <br>> > 131127 17:48:33 unbound: [5694:0] info: validation failure<br>> > d.t10000.u6860931751.s1385574322.i1009.v6022.503b8.z.dotnxdomain.net.<br>> > A IN 131127 17:51:28 unbound: [5694:0] info: validation failure<br>> > ns2.sirius-soft.at. A IN 131127 17:51:28 unbound: [5694:0] info:<br>> > validation failure ns1.sirius-soft.at. A IN 131127 17:51:28<br>> > unbound: [5694:0] info: validation failure ns3.sirius-soft.at. A<br>> > IN 131127 17:51:45 unbound: [5694:1] info: validation failure<br>> > ns2.sirius-soft.at. A IN 131127 17:52:02 unbound: [5694:1] info:<br>> > validation failure ns3.sirius-soft.at. A IN 131127 17:52:35<br>> > unbound: [689:0] info: validation failure rellim.com. A IN 131127<br>> > 17:52:36 unbound: [21479:0] info: validation failure rellim.com. A<br>> > IN 131127 17:52:46 unbound: [5694:0] info: validation failure<br>> > rellim.com. A IN 131127 17:52:46 unbound: [5694:0] info: validation<br>> > failure rellim.com. NS IN 131127 17:52:46 unbound: [5694:0] info:<br>> > validation failure ns1.rellim.com. A IN 131127 17:52:46 unbound:<br>> > [689:1] info: validation failure rellim.com. A IN 131127 17:52:48<br>> > unbound: [21479:1] info: validation failure rellim.com. A IN 131127<br>> > 17:52:48 unbound: [21479:1] info: validation failure rellim.com. NS<br>> > IN 131127 17:52:48 unbound: [21479:1] info: validation failure<br>> > ns2.rellim.com. AAAA IN 131127 17:52:48 unbound: [21479:1] info:<br>> > validation failure ns1.rellim.com. A IN<br>> > <br>> > Is it a bug in unbound or a problem with the DNS configuration of<br>> > those sites?<br>> > <br>> > I ran dig commands on those sites and found all of them returned no<br>> > answers.<br>> > <br>> > For example, wendi: dig rellim.com<br>> > <br>> > <br>> > ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>><br>> > rellim.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-<br>> > opcode: QUERY, status: SERVFAIL, id: 52216 ;; flags: qr rd ra;<br>> > QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>> > <br>> > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;<br>> > QUESTION SECTION: ;rellim.com. IN A<br>> > <br>> > ;; Query time: 840 msec ;; SERVER: 192.168.58.1#53(192.168.58.1) ;;<br>> > WHEN: Fri Nov 29 12:20:38 EST 2013 ;; MSG SIZE rcvd: 39<br>> > <br>> > Thank you if you can give me some advices.<br>> > <br>> > Best, Wendi<br>> > <br>> > <br>> > _______________________________________________ Unbound-users<br>> > mailing list Unbound-users@unbound.net <br>> > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users<br>> > <br>> <br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v1.4.15 (GNU/Linux)<br>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/<br>> <br>> iQIcBAEBAgAGBQJSnEYoAAoJEJ9vHC1+BF+Ne2MQAKVrfbB44CwktLm+tXmWbgqA<br>> Jtius/U/um39b5D+UPCtQANGOaepfRvEdRVMU+0jI4qNq+g3/zeRDoR3WOEQr6vt<br>> DjFCR13g0GokaiCI9EVyGwUq5fHetgc92n2Ke+IYd5AcsRbWzMJlrkZSWtL+KBCv<br>> s+7M49jmxkQQsTa+9vOrLlfFu1IUNYpf2qlL+I89Qn1TjTJOz9ZfsN66J3ieyqv1<br>> HJRKa/aXe4VTZOIUHkQjiPfBb/3iyJo8BxN8GeLOFcLKyrVVzZfS5uzNt47TWgqQ<br>> QWAq4YHhLdb2rVAKRqFQDCHlnC8JVgWNYfYAGuFazWtL2BOWItk3IjXlLmhEONr2<br>> lVtyTfiDaT3x0MIgp1NDCWW/FO8py6XtgS46qM/cWPQ1MyXD+EM/bHNtxRzVF6O0<br>> 7uJg16fDuxyF4t0wgcGAtxvBpwqw3N/UJENWztw1yv3iCFCb/wSgU012jJV75D9J<br>> kpGv+Dm8HVQfWsugqYwZ2yeMH9ICc59ILWxuTVQfBUOMd1VySIczZCgb90GFHQKH<br>> CDGfAYRF9JFZT2QUzT4M1ubC9iPFCG3x/Q8a1bNyxQCwm3E/f9CTY67bA7/KosgA<br>> hx1L0Vi5wBa1p5OyycXVeb2iYw8smcY05NOpEpVlOGSYSFUCXOYOAYgkQ/zz4/y4<br>> kbdp6h4Wq0Z7p2wZxSWS<br>> =uMZt<br>> -----END PGP SIGNATURE-----<br>> _______________________________________________<br>> Unbound-users mailing list<br>> Unbound-users@unbound.net<br>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users<br></div> </div></body>
</html>