<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello to all, </p>
<p>I've exhausted most of my options at this point, so I'm now
asking here. I've encountered one of the strangest DNSSEC issues
I've ever seen.</p>
<p>Let's get straight to the point. One of the two affected FQDNs
is:</p>
<p>home.local.magisystems.de</p>
<p>the other one is</p>
<p>koenigsberg.local.magisystems.de<br>
</p>
<p>If you try to resolve that using Unbound, with the validator
module enabled & trust anchors configured, you will get a
SERVFAIL from Unbound. If you also have EDE enabled, you will see:</p>
<p>EDE: 10 (RRSIGs Missing): (validation failure
<home.local.magisystems.de. A IN>: no signatures from
<...>)</p>
<p>However, if you ask one of the nameservers directly, you will see
that the FQDN in question does have a proper RRSig:<br>
<br>
</p>
<blockquote type="cite">dig home.local.magisystems.de +dnssec
@ns1.hosting.de<br>
<br>
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>>
home.local.magisystems.de +dnssec @ns1.hosting.de<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
42931<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1232<br>
;; QUESTION SECTION:<br>
;home.local.magisystems.de. IN A<br>
<br>
;; ANSWER SECTION:<br>
home.local.magisystems.de. 3600 IN A 172.22.22.27<br>
home.local.magisystems.de. 3600 IN RRSIG A 8 4 3600
20230808083531 20230718083031 62664 magisystems.de.
RSoBY/8Nqt/2iATHt2rW98bTGOAaF1l7j0ACMJW5ezTLo9zCpMJOa0mt
nbZApJ78hK92dvp3kk2n545YNQtyRbidGg6Yo8J1hg2ZNqltuIwFdQQm
B3Aoq7xemueX78xVGgaBIUjAi6HiJOggz3Ty/AxzvOMOLqx1p+woK3aL 7+w=</blockquote>
<p>Now, let's make this even more strange: Try to resolve this FQDN
using any other public resolver not running Unbound: Cloudflare,
Google Public DNS, Quad9, you name it: If it's not running
Unbound, it will have zero trouble resolving the FQDN.</p>
<p>Some facts about the issue:</p>
<ul>
<li>The zone in question is, to my best knowledge, properly DNSSEC
signed</li>
<li>Only Unbound has trouble resolving this FQDN: All other
resolvers I've tried can resolve it just fine</li>
<li>All other FQDNs on the same zone work without any issue: For
example, try out local.magisystems.de or just magisystems.de:
Unbound can resolve them just fine</li>
<li>I've already spoken to the DNS hosting provider (hosting.de).
Just like me, they're clueless. IIRC, they're running PowerDNS
and we couldn't identify any other zone that has the same issue</li>
<li>We tried regenerating the RRSig, without any change in the
behaviour</li>
<li>We have reproduced this using 5 different Unbound installs in
2 different countries. We tried older and recent versions (up to
the current 1.17.1)</li>
<li>The issue has persisted over multiple weeks now and is most
certainly not related to caching<br>
</li>
</ul>
<p>I don't own the domain in question, though I do know the person
owning it, so I can request changes to the zone. I'm absolutely
clueless as to what is going wrong here: DNSViz.net doesn't see
anything wrong with the DNSSEC. I myself run dozens of domains
using the exact same configuration: *All* of them resolve properly
using Unbound. Only this FQDN has trouble. It uses the same key
type/size, signature algorithm, everything is identical to how the
other zones are configured.</p>
<p>Does anyone have an idea? At this point I'm inclined to believe
we've hit some bug in Unbound, but I honestly don't know what.</p>
<p>Kind regards,<br>
Max<br>
</p>
</body>
</html>