[Unbound-users] unbound-host ignoring expired RRSIGs?

Paul Wouters paul at xelerance.com
Tue Jul 28 17:47:13 UTC 2009


I just ran into an issue where I could not resolve dnsops.biz. After some
investigation, it seems unbound was right. The RRSIG records expired 4
days ago.

dnsops.biz.		3600	IN	RRSIG	DNSKEY 5 2 3600 20090725124034 20090625124034 43287 dnsops.biz. SPUrR6Wb2UMt6NQTf6g6dodYvg7Rn1AfZi1eSKZqV/PVwGnYQIC1OILI qLjejtL/A32bfgdaSvhS2MAsM9RK33zaAba5Rho+U0m2X4X0Ua6XqrK0 A8Hmi9lL2WsE2lhymqjWgbUAnusmgPi727yXTj9Pm2GIlEkAu2/kyJh+ w7xjs8BCL/LzZO/bfzgiK80olvneQC+ilycxwGKg8EUCq3s2Ec1D3gon 3JywyTkuWbSMLaMcbf6EXze8EaVeSvlVWYSALBjDOF4gkoegtcyL+zy8 15KR8czTQk14GkS7z1NrZCfwoMU3bbZXrVHvzY1EHwNDdnXD0ii6FMex pVN28A==

I took me a little while to figure this out, as "unbound-host" would
happilly return the record, without any indication of a problem, while
the unbound daemon itself would only do so with the CD bit set.

It was even more confusing as our DNSX Resolver has the key for dnsops.biz
loaded, and the answer unbound-host gave was "(insecure)". In fact,
it should say it was "(expired)" or "(invalid)" or something. It is
clearly not "just" insecure when the configuration has a DNSKEY loaded,
which signature expired.

Anyway, it at least explains the error I was seeing for xelerance.dnsops.biz.


More information about the Unbound-users mailing list