[Unbound-users] Forwarding failing when DNSSec is enabled
Harish Chandra
charish47 at yahoo.com
Wed Jul 1 15:00:52 UTC 2009
Hi,
Without DNSSec, forwarding is working fine. With DNSSec enabled (I am
using DLV), forwarding fails when I forward my querries to a server
that isn't dnssec enabled.
The output from the log looks like this:
[1246456813] unbound[7919:0] info: validator operate: query <dlv.isc.org.. DNSKEY IN>
[1246456813] unbound[7919:0] debug: validator: nextmodule returned
[1246456813] unbound[7919:0] debug: not validating response due to CD bit
[1246456813] unbound[7919:0] debug: mesh_run: validator module exit state is module_finished
[1246456813] unbound[7919:0] info: validator: inform_super, sub is <dlv.isc.org. DNSKEY IN>
[1246456813] unbound[7919:0] info: super is <mail.google.com.dlv.isc.org.. DLV IN>
[1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org. DNSKEY IN>
[1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack of signatures
[1246456813] unbound[7919:0] debug: verify result: sec_status_bogus
[1246456813] unbound[7919:0] info: validate keys with anchor(DNSKEY): sec_status_bogus
[1246456813] unbound[7919:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <dlv.isc.org. DNSKEY IN>
[1246456813] unbound[7919:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
[1246456813] unbound[7919:0] info: validator operate: query <mail.google..com.dlv.isc.org. DLV IN>
[1246456813] unbound[7919:0] debug: val handle processing q with state VAL_VALIDATE_STATE
[1246456813] unbound[7919:0] info: processValidate: state has no signer name <mail.google.com.dlv.isc.org. DLV IN>
[1246456813] unbound[7919:0] info: Could not establish validation of INSECURE status of unsigned response.
[1246456813] unbound[7919:0] debug: val handle processing q with state VAL_FINISHED_STATE
The failure appears because of a signature mismatch. But why is
validation taking place when the actual resolver can't talk dnssec? My
config file looks like this:
server:
verbosity: 5
interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 allow
chroot: /etc/unbound
username: ""
directory: /etc/unbound/
use-syslog: no
pidfile: /var/run/unbound.pid
root-hints: /etc/unbound/named.cache
logfile: /etc/unbound/unbound.log
dlv-anchor-file: dlv.isc.org.key
forward-zone:
name: "."
forward-addr: 68.87.68.170
Is this the expected behaviour? or am I missing something here? Why can't the resolution proceed when the forwarder (unbound) can talk dnssec and the actual resolver can't?
thanks,
Harish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20090701/445adb53/attachment.htm>
More information about the Unbound-users
mailing list