[Unbound-users] Validation failure of DNSSEC signed domain names

Thu Apr 29 15:56:19 UTC 2010

On 29.4.2010 16:29, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Zbynek,
>
> Which version of unbound is this (1.4.4?)

Yes, it is 1.4.4-1 from Debian unstable

> I have just made fixes to svn trunk that may help in this case.  But
> they may not be sufficient to help you here (its about looking in the
> key cache to see if nic.cz needs DNSSEC).

Ok, thanks, I will try the latest trunk version.

> Can you do an unbound-control lookup nic.cz  (when it is in the bad state) ?

In current state I get correct answer for A www.nic.cz, but SERVFAIL for AAAA 
www.nic.cz.

--- OUT ---
The following name servers are used for lookup of nic.cz.
;rrset 1107 3 1 11 4
nic.cz.	1107	IN	NS	d.ns.nic.cz.
nic.cz.	1107	IN	NS	b.ns.nic.cz.
nic.cz.	1107	IN	NS	a.ns.nic.cz.
nic.cz.	1107	IN	RRSIG	NS 5 2 1800 20100512080302 20100428080302 62837 nic.cz. 
Vey1LxxZh6bY7WJfUVJ2T4tMrP0hmPrT1sft19osJKp4AvIgrk9iyuGvSldh3la4m0fKJoZgnMqOOiwGQLeHWHdHUym4d5du9a0dZNfh4I/NOSK4GFwYENu98YLFLpc0dvCFRS54vzcoHriKmxgK+w04WF/j/pcCroi3xfHkWj8= 
;{id = 62837}
;rrset 917 1 1 11 4
a.ns.nic.cz.	917	IN	A	194.0.12.1
a.ns.nic.cz.	917	IN	RRSIG	A 5 4 1800 20100512080302 20100428080302 62837 nic.cz. 
RXwerdKvK5S4CpHnpHdJHd4mrRN2A5+gHKFrWiLx67igPaPjzshL/us1iRbP+gU5TIT6R509Dh0p97HKvcqKuI3N6QlfuMapsG9VZifom5ucoroOlRhLcXNOcXWhA9OFucVp5kw+Fumy2VxC5+kPGFQHQL8I397w3ZtYXwm92aU= 
;{id = 62837}
;rrset 917 1 1 11 4
a.ns.nic.cz.	917	IN	AAAA	2001:678:f::1
a.ns.nic.cz.	917	IN	RRSIG	AAAA 5 4 1800 20100512080302 20100428080302 62837 
nic.cz. 
rCLjR880rjIZGicHHq63Gq5m+WfM0n2yn+aW92xpufryP5pEaYUftSflNU4BQBsi1cTNHG8w87/gH+td9Sqn7qf1yRnn77USbJO+l0dI29fSqhUc1xsAwGax4ngBFgu7XOiugK2rpjw6gkzbFm71ZjUIN/d29TCd3FSM/OQaMnQ= 
;{id = 62837}
;rrset 917 1 1 11 4
b.ns.nic.cz.	917	IN	A	194.0.13.1
b.ns.nic.cz.	917	IN	RRSIG	A 5 4 1800 20100512080302 20100428080302 62837 nic.cz. 
ZUMnD1hyOtW+QNimx+ciD9VpW6SgmSn38KByTF3m6NFqVZMYq1kflzB8O6yXUCZM7DJ2VjqyTmz29DjOdMPdjVCGbNfIsTw0DDQL0HJgbPdhpkBKnI5zB27uPa9c5a1/YHcK+U0mJS0jXQcHZ0ESAG5CaAeOA40wmPp6tWDYlwU= 
;{id = 62837}
;rrset 917 1 1 11 4
b.ns.nic.cz.	917	IN	AAAA	2001:678:10::1
b.ns.nic.cz.	917	IN	RRSIG	AAAA 5 4 1800 20100512080302 20100428080302 62837 
nic.cz. 
MhzeMMl7CplPDCw2BGqDBynBWHahsBuZ+RJGAMUQZZnmi2HrOEIf3DIgpLLz0BPCV2iVII/vda+EXk6uLDrZOkRoEeNpnC6GEu9gSCPJic941B0dn6j8Tq8Aya/yrZULFcIczJR8Kol2BvFWonMN2nj8LXGyZJupW0Unj9ousyA= 
;{id = 62837}
;rrset 917 1 1 11 4
d.ns.nic.cz.	917	IN	A	193.29.206.1
d.ns.nic.cz.	917	IN	RRSIG	A 5 4 1800 20100512080302 20100428080302 62837 nic.cz. 
OKaPN50Vsl1ckhGJyLIdWChRtgFZ/oew2o45XqWSBGQAU8VPFGBrsUmUsPA+W6iOEHjEoojlI8g9M5/PvgfnkQT/LnaIy2r9Zc8gMy8RMHKpET60/Fxhq5PSddIrxNdBzb1+tt5jSAiLvVYvyZ1FBmRiSpRGixHPW7XTnY85Vyg= 
;{id = 62837}
;rrset 917 1 1 11 4
d.ns.nic.cz.	917	IN	AAAA	2001:678:1::1
d.ns.nic.cz.	917	IN	RRSIG	AAAA 5 4 1800 20100512080302 20100428080302 62837 
nic.cz. 
RnjoxRNy/LNJgwH8P3WYuHM6aI6EK5wLPRxVXIHxVkM5+jZT4QlcHa7Nf3/Mrg3YcVeHRFj2J1VTFaw5NODh+OcgJyFU53+Q0Ay7GF0BxhpN9Sq8vPX80okCf+da2TA/FmbbFNOqaei0OgSSq2J12AwOluSMXK+suxOHHBkmdBY= 
;{id = 62837}
Delegation with 3 names, of which 0 can be examined to query further addresses.
It provides 6 IP addresses.
2001:678:1::1   	not in infra cache.
193.29.206.1    	rtt 184 msec, 0 lost. noEDNS probed.
2001:678:10::1  	not in infra cache.
194.0.13.1      	rtt 3109 msec, 0 lost. noEDNS probed.
2001:678:f::1   	not in infra cache.
194.0.12.1      	rtt 1456 msec, 0 lost. noEDNS probed.
--- /OUT ---

Regards,
Zbynek