[Unbound-users] wpbeginner.com

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Jul 20 12:05:17 UTC 2009

Hash: SHA1

Hi Sven,

Because it is misconfigured and unbounds security policy.

If you ask .com servers for wpbeginner.com
it gives a delegation to:
wpbeginner.com. 172800  IN      NS      ns1.uzzz.net.
wpbeginner.com. 172800  IN      NS      ns2.uzzz.net.
ns1.uzzz.net.	172800	IN	A
ns2.uzzz.net.	172800	IN	A

Unbound however, does not believe the ns1.uzzz.net addresses
from here because of security policy.  (Otherwise cache
poisoning is going to happen).  It decides to check up
on things.

It asks for ns1.uzzz.net to the .net servers that give
this delegation:
uzzz.net.	172800	IN	NS	ns1.uzzz.net.
uzzz.net.	172800	IN	NS	ns2.uzzz.net.
ns1.uzzz.net.	172800	IN	A
ns2.uzzz.net.	172800	IN	A

This time, having asked the .net servers, unbound believes
the addresses, but the security policy is to check even further.
Unbound asks uzzz.net nameservers for ns1.uzzz.net.

As you can see in the dig sample below, it gets a reply
with a different address for ns1.uzzz.net.

$ dig @ ns1.uzzz.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;ns1.uzzz.net.			IN	A
ns1.uzzz.net.		14400	IN	A
uzzz.net.		86400	IN	NS ns712.websitewelcome.com.
uzzz.net.		86400	IN	NS ns711.websitewelcome.com.
ns712.websitewelcome.com. 130930 IN	A

So, it finds out that the real address of ns1.uzzz.net is!
Because the uzzz.net server says so and is authoritative for the data.

Unbound then asks for wpbeginner.com.

$ dig @ wpbeginner.com
;; connection timed out; no servers could be reached

The same story for ns2.uzzz.net, the server does not respond to queries.

So, I would like to be able to provide the correct answer to
users who want to connect to wpbeginner.com ; unbound
tries to fetch the most authoritative response for it, but that
address will not answer.

All that said, if you really want to resolve this, the
option   harden-glue: no   does that.  (And allows cache

The best solution is to have wpbeginner.com publish correct
information to the verisign servers, and/or run a nameserver
on the address

Thank you for reporting the non-working address.

Best regards,

On 07/20/2009 12:46 PM, Sven Juergensen wrote:
> Hi list,
> any idea why wpbeginner.com can't be resolved
> using unbound 1.3.1?
> Thanks for any input.
> Best regards,
>     Sven Juergensen
> dig any wpbeginner.com @
> ; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;wpbeginner.com.            IN    ANY
> ;; Query time: 2877 msec
> ;; SERVER:
> ;; WHEN: Mon Jul 20 12:42:47 2009
> ;; MSG SIZE  rcvd: 32
> Mit freundlichen Gruessen,
>     i. A. Sven Juergensen
Unbound-users mailing list
Unbound-users at unbound.net

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list