[Unbound-users] [Q] HINFO in signed zone results SERVFAIL, but NOERROR with BIND
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Jan 6 12:05:01 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Koh-ichi,
This is an interpretation problem in RFC4034 6.2(3).
A workaround is to give your HINFO in lowercase:
HINFO "vmware" "freebsd"
Unbound lowercases all text in the rdata of HINFO records before
verification. Because that is what I believe RFC4034 6.2(3) means.
Other software (ldns, bind) does not lowercase HINFO rdata, it seems.
It would be prudent to find a common interpretation. Something for
dnsext, already posted there.
Of course putting up a lowercase HINFO entry is against RFC1010, which
mandates all uppercase, and only - and /. Also the first word is the
CPU and second OS. Thus,
HINFO "INTEL-CORE-I7-920" "FREEBSD-7-0"
This would be appropriate use according to RFC1034/1035.
However the strings do not appear in the allowed list in
http://www.iana.org/assignments/machine-names
http://www.iana.org/assignments/operating-system-names
so, HINFO "INTEL-386" "FREEBSD"
however, due to the interpretation problems in RFC4034 you are not
guaranteed DNSSEC verification unless you put this in lowercase,
HINFO "intel-386" "freebsd"
Best regards,
Wouter
Koh-ichi Ito wrote:
> Hello,
>
> I experience the following problem with unbound-1.1.1.
> A bug? or I hope somebody to kindly point out my fault.
>
> What I did is the following.
> - Sign a zone data of "example.jp", which contains an HINFO
> RR, with dnssec-signzone in BIND-9.4.2, key is generated
> by dnssec-keygen in BIND-9.4.2, too.
> - Serve the zone by NSD 3.2.0.
>
> The result is the following.
> - Look up the HINFO RR via named(recursive only) results
> NOERROR
> - Look up via unbound 1.1.1 results SERVFAIL. unbound says
> "message contains bad rrsets" at the time.
> - Look up the A RR of same owner via unbound results
> NOERROR.
>
> # example.jp before signing:
> $TTL 1m
> @ IN SOA ns.example.jp. hostmaster.example.jp. (
> 0 ; overridden by dnssec-signzone
> 15m
> 10m
> 4w
> 15m)
> $INCLUDE ksk.key
> $INCLUDE zsk.key
> NS ns.example.jp.
> ns A 10.2.0.18
> foo A 10.20.30.40
> HINFO VMware FreeBSD
> --------------------------------------------------
>
> # signed zone data around "foo.example.jp":
> foo.example.jp. 60 IN A 10.20.30.40
> 60 RRSIG A 5 3 60 20090220070924 (
> 20090106070924 13872 example.jp.
> XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9
> QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF
> GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA
> v/2cz7GCmFExsEuRhlCQ )
> 60 HINFO "VMware" "FreeBSD"
> 60 RRSIG HINFO 5 3 60 20090220070924 (
> 20090106070924 13872 example.jp.
> YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd
> o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp
> 1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I
> U1s8GYlyyx6NWEDRSi11 )
> 900 NSEC ns.example.jp. A HINFO RRSIG NSEC
> 900 RRSIG NSEC 5 3 900 20090220070924 (
> 20090106070924 13872 example.jp.
> UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx
> 20YePlbVgUQDAK6himevg605SxfNULrnGH3i
> 3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV
> QzPh0O0wvux8BqWNYR98 )
> --------------------------------------------------
> # output of dig via unbound:
>
> Script started on Tue Jan 6 17:20:12 2009
> kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
>
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp. IN HINFO
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 6 17:20:26 2009
> ;; MSG SIZE rcvd: 43
>
> kohi at vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A
>
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp. IN A
>
> ;; ANSWER SECTION:
> foo.example.jp. 60 IN A 10.20.30.40
> foo.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ
>
> ;; AUTHORITY SECTION:
> example.jp. 60 IN NS ns.example.jp.
> example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
>
> ;; ADDITIONAL SECTION:
> ns.example.jp. 60 IN A 10.2.0.18
> ns.example.jp. 60 IN RRSIG A 5 3 60 20090220070924 20090106070924 13872 example.jp. Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3
>
> ;; Query time: 2 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 6 17:20:37 2009
> ;; MSG SIZE rcvd: 506
>
> kohi at vm1[3]% exit
>
> Script done on Tue Jan 6 17:20:39 2009
> --------------------------------------------------
>
> # output of dig via named:
>
> Script started on Tue Jan 6 17:19:00 2009
> kohi at vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
>
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.example.jp. IN HINFO
>
> ;; ANSWER SECTION:
> foo.example.jp. 60 IN HINFO "VMware" "FreeBSD"
> foo.example.jp. 60 IN RRSIG HINFO 5 3 60 20090220070924 20090106070924 13872 example.jp. YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3 yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11
>
> ;; AUTHORITY SECTION:
> example.jp. 60 IN NS ns.example.jp.
> example.jp. 60 IN RRSIG NS 5 2 60 20090220070924 20090106070924 13872 example.jp. cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3 H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
>
> ;; Query time: 6 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 6 17:19:18 2009
> ;; MSG SIZE rcvd: 363
>
> kohi at vm1[2]% exit
>
> Script done on Tue Jan 6 17:19:20 2009
> --------------------------------------------------
>
> # output of unbound:
>
> Script started on Tue Jan 6 17:19:43 2009
> kohi at vm1[1]% /usr/bin/su
> Password:
> vm1# /proj/unbound-1.1.1/sbin/unbound -d -v
> [1231229999] unbound[28416:0] notice: Start of unbound 1.1.1.
> [1231229999] unbound[28416:0] notice: init module 0: validator
> [1231229999] unbound[28416:0] notice: init module 1: iterator
> [1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time and pid
> [1231229999] unbound[28416:0] info: start of service (unbound 1.1.1).
> [1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN>
> [1231230026] unbound[28416:0] info: priming . IN NS
> [1231230026] unbound[28416:0] info: response for <. NS IN>
> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: priming successful for <. NS IN>
> [1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN>
> [1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: prime trust anchor
> [1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
> [1231230026] unbound[28416:0] info: query response was ANSWER
> [1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY): sec_status_secure
> [1231230026] unbound[28416:0] info: Successfully primed trust anchor <example.jp. DNSKEY IN>
> [1231230026] unbound[28416:0] info: Validate: message contains bad rrsets
> [1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN>
> [1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN>
> [1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
> [1231230037] unbound[28416:0] info: query response was ANSWER
> [1231230037] unbound[28416:0] info: validate(positive): sec_status_secure
> [1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN>
> ^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1).
> [1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions
> [1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
> [1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out
> [1231230041] unbound[28416:0] info: average recursion processing time 0.001426 sec
> [1231230041] unbound[28416:0] info: histogram of recursion processing times
> [1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0
> [1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions
> [1231230041] unbound[28416:0] info: 0.000512 0.001024 1
> [1231230041] unbound[28416:0] info: 0.002048 0.004096 1
> vm1# exit
> exit
> kohi at vm1[2]% exit
>
> Script done on Tue Jan 6 17:20:45 2009
> --------------------------------------------------
>
> # unbound.conf:
>
> server:
> do-ip6: no
> chroot: /proj/unbound
> root-hints: fake-root
> username: bind
> logfile: ""
> pidfile: /var/run/unbound.pid
> # trust-anchor-file: trust-anchor/dsset-example.jp.
> # trust-anchor-file: trust-anchor/keyset-example.jp.
> trusted-keys-file: trusted-keys/example.jp
>
> remote-control:
> control-enable: yes
> --------------------------------------------------
>
>
> If any other information is required, please let me known.
>
> Don't ask the reason why I wish to use HINFO today :-p
>
> Thanks in advance.
>
> Koh-ichi Ito
> Internet Research Institute, Inc.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkljSOwACgkQkDLqNwOhpPhBTgCZAQK3GYejx9fbQrFJtxFpheUZ
riAAnjMswKq0CxcBOXaUqh3gNPkF0/rH
=SiKb
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list