[Dnssec-trigger] bugs.debian.org validation failure

Chuck Anderson cra at WPI.EDU
Thu Sep 18 16:29:19 UTC 2014 

Why is unbound showing a validation failure when dnsviz.net shows everything is good?

http://dnsviz.net/d/bugs.debian.org/dnssec/

Sep 18 12:07:34 system unbound: [2399:1] info: validation failure bugs.debian.org. AAAA IN
Sep 18 12:07:34 system unbound: [2399:0] info: validation failure bugs.debian.org. AAAA IN
Sep 18 12:07:34 system unbound: [2399:0] info: validation failure bugs.debian.org. A IN
Sep 18 12:07:34 system unbound: [2399:1] info: validation failure bugs.debian.org. A IN
Sep 18 12:08:31 system unbound: [2399:1] info: validation failure bugs.debian.org. A IN
Sep 18 12:08:31 system unbound: [2399:0] info: validation failure bugs.debian.org. AAAA IN
Sep 18 12:08:31 system unbound: [2399:0] info: validation failure bugs.debian.org. A IN
Sep 18 12:08:31 system unbound: [2399:1] info: validation failure bugs.debian.org. AAAA IN

# cat /etc/resolv.conf
# Generated by dnssec-trigger 0.11
nameserver 127.0.0.1

# dnssec-trigger-control status
at 2014-08-12 19:50:53
http fedoraproject.org (209.132.181.16): OK 
cache 130.215.5.18: OK 
cache 130.215.39.18: OK 
cache 130.215.32.18: OK 
state: cache secure

# unbound-control status
version: 1.4.21
verbosity: 1
threads: 2
modules: 2 [ validator iterator ]
uptime: 8969587 seconds
unbound (pid 2399) is running...

# unbound-control list_forwards
. IN forward: 130.215.32.18 130.215.39.18 130.215.5.18




]# unbound-control dump_cache | grep -i debian
79LQJ175EGDS2H52Q2HC62E8KML13LQH.debian.org.	2834	IN	NSEC3	1 0 16 7d27a664d4  7abafflgutp9r82vovq9fdg3pogoh393 A MX AAAA RRSIG 
79LQJ175EGDS2H52Q2HC62E8KML13LQH.debian.org.	2834	IN	RRSIG	NSEC3 8 3 3600 20141023191027 20140913181027 35679 debian.org. BoXj6Ca3Z84dSZbJNVZXRIVN5Tik59XpRHjkGKhqjYh0lux9UlJasesVwS8nM5WrnSzx0lR/mByUx7MV7Xji1ySk1DHLJCNbgiXFCa2R6vtUK1zFDPJP1dkuGokY1AmWv6Ff4a/MnjrQrE4of6gGkOU6nDm7XU8l3CANJrDXti53YABE/CJLS/TTg+DNRt8hpYDCYrwK6bQsgppxSeWgZqPcEV2ipgY6ZpCuYaMi9VLjlnXybhTa31vzFekuXSNg
debian.org.					2834	IN	SOA	denis.debian.org. hostmaster.debian.org. 2014352350 10800 3600 1814400 3600
debian.org.					2834	IN	RRSIG	SOA 8 2 3600 20141028145935 20140918135935 35679 debian.org. WXGXZPULIlAz9c55CNLc2sIs7lPXE4C71L+7/kiNUL4FasDBnGs+IXxBYYYk5JdoFI7300FwK/3Kfcx3XpalJCNYXQH9YDn7XqZWRa1tnrYH+HDZ48rfPv8G62T/VBNdojLoc2oBQc+2Q8UfjJqpcO1NLqJddMuvRLkTCBjflHe/gAH3iNR6shVPKUz10lz2QiPJC4kL1TCwnpsuitRYqE/qTSV9NMPBoU1+mRDpcb1h+v/auwbzQl0yZ4zIDKRi
debian.org.					85634	IN	DS	15679 8 2 9772f405c41274a78d724ea33457b0ff8850570e1d1da969b7ab1133010a9a25
debian.org.					85634	IN	RRSIG	DS 7 2 86400 20140930155830 20140909145830 33287 org. s1GDbVTNjs18F7kSs8klkGue8OQdgQ/QE1+MJmJQgfflKUu8NNz4q/BCVl5bST8u4z/tJu0ZV8cqd2rMoD1IahsossweRIx2swpZfyNjnMk3+m9BvklintglyITVGy8NGrltb/5PL0/FaACPmm90bXCYAEp5yJIjUhZZQWRKZ0E=
debian.org.					14982	IN	NS	sec2.rcode0.net.
debian.org.					14982	IN	NS	dns4.easydns.info.
debian.org.					14982	IN	NS	dns3.easydns.org.
debian.org.					14982	IN	NS	sec1.rcode0.net.
debian.org.					14982	IN	NS	dns1.easydns.com.
debian.org.					28034	IN	DNSKEY	257 3 8 AwEAAa08/KsTdCYEdb0IZ2zgjM1Rld05vJDBxDo18Nb1cNDHkI8EZubK9vO1icw/7VnwZD0yRj0Gt2ecOa+N3IQakQirsshc1Tz2y2XX2n2cb5BCMzRea5ifPcUvHT+c4CStthNAJyu98StCIUdtprua6AWyOW9yuDGgkQGdNuk7hK5lMvItYoT85PqLDA6Tne9JrlEbUrzQ9t779yxwuZZg8XqWOi9f1Vk4P7QdQqGsmLlCNpYevwJNmE5ebk4ZHgpHYWb8gJyKX69vgzs/t0aj4dEbnMRgiQWW42jfzVblcT33+A1KkKSQz7gmzsX14/Wa/6hHyxkdeLtxl7rlpvXWjeE= ;{id = 15679 (ksk), size = 2048b}
debian.org.					28034	IN	DNSKEY	256 3 8 AwEAAdVJpaKPTjXZnB2cHV+fVYghzysbiJsfco9jC8xrVPRCZdkLI3oh99G9544ddxmHSSqyHmSiYzez1AI9UxdYpVI0vdLuwlX9i0xeydsWDS/zj7dBz7nvSdxg2PxKpt8aViy31RdD83gE8QPyF8Rnmfb2s4PwBfKt71s55aBD/nK055918XJwqQF9kNIxKFRaeXa4dM85erDbpHAiY00QPH98mSr8fNrwSLbrSIHNqa2hUlUfk8siEQAYl/wZj0EYjQ== ;{id = 35679 (zsk), size = 1536b}
debian.org.					28034	IN	RRSIG	DNSKEY 8 2 28800 20141017065938 20140907061457 15679 debian.org. IQklv/jb98f82khX3uAJVmKiOciG1dApku6CvBwS7Woo7sCi/9wans7U7bQ8gWG37PZPy1ZaidZSQHFz6amZJA0hYx5meRtQRz/PoYBZrrVlH3LWVEBbhSqJ+IhSTctHBTkeOWIe1FvnWrAlV8zzeaanVukiw7QZLyVTbQA53V0BdDXjGi1Kb+rogc+DhH9B64mpEtz7zUrNYUWEHqztr26RicGJJc2s5dJXFT+MzTmk0JGdMH1HThmBF1hEHOCLDWLXmHlZAnVxsgU7FWtwG4jjYZL8spokgzajkx8At+Gl2cY+9ZWFENOz+GY5FmqELhPslegGA7sNqwQu9P5cqw==
debian.org.					28034	IN	RRSIG	DNSKEY 8 2 28800 20141017065938 20140907061457 35679 debian.org. A+pg5GMcFmQ5mdAWXZPPoEivil/MprhjybMol0U2T5zDTyBkHeGHmiygSgRdGDgiE6GgOrdNN6k/dDQwXvPEyZRw3i13Wc0eXxxK3WJMSusrE8vUuvI3KtFDJDMOAaR961KH5PIp9iSZexY3Q2fEjvilOu/vPS3eZrVjHpoROULeU878t9EY4bG3bPYWK0YGzmwgO/xfXW5YYVXyBpvcjsj0d3G3ZJ/o10It7fa82n5OGkXOQPo8sCJgh7PmzExL
msg bugs.debian.org. IN DS 33152 1 2834 0 0 2 0
debian.org. IN SOA 4
79LQJ175EGDS2H52Q2HC62E8KML13LQH.debian.org. IN NSEC3 0
msg debian.org. IN DNSKEY 33152 1 28034 0 1 0 0
debian.org. IN DNSKEY 0
msg bugs.debian.org.wpi.edu. IN A 33155 1 2835 3 0 1 0
msg bugs.debian.org.wpi.edu.dlv.isc.org. IN DLV 33155 1 2835 4 0 3 0
msg bugs.debian.org.wpi.edu. IN AAAA 33155 1 2835 3 0 1 0
msg debian.org. IN DS 33152 1 85634 0 1 0 0
debian.org. IN DS 0
[root at dustpuppy cra]# unbound-control dump_cache | grep -i debian
79LQJ175EGDS2H52Q2HC62E8KML13LQH.debian.org.	 2822	IN NSEC3	1 0 16 7d27a664d4  7abafflgutp9r82vovq9fdg3pogoh393 A MX AAAA RRSIG 
79LQJ175EGDS2H52Q2HC62E8KML13LQH.debian.org.	 2822	IN RRSIG	NSEC3 8 3 3600 20141023191027 20140913181027 35679 debian.org. BoXj6Ca3Z84dSZbJNVZXRIVN5Tik59XpRHjkGKhqjYh0lux9UlJasesVwS8nM5WrnSzx0lR/mByUx7MV7Xji1ySk1DHLJCNbgiXFCa2R6vtUK1zFDPJP1dkuGokY1AmWv6Ff4a/MnjrQrE4of6gGkOU6nDm7XU8l3CANJrDXti53YABE/CJLS/TTg+DNRt8hpYDCYrwK6bQsgppxSeWgZqPcEV2ipgY6ZpCuYaMi9VLjlnXybhTa31vzFekuXSNg
debian.org.					 2822	IN SOA		denis.debian.org. hostmaster.debian.org. 2014352350 10800 3600 1814400 3600
debian.org.					 2822	IN RRSIG	SOA 8 2 3600 20141028145935 20140918135935 35679 debian.org. WXGXZPULIlAz9c55CNLc2sIs7lPXE4C71L+7/kiNUL4FasDBnGs+IXxBYYYk5JdoFI7300FwK/

More information about the dnssec-trigger mailing list