[Unbound-users] Signed .de zone - temporary validation errors

Bernhard Schmidt berni at birkenwald.de
Wed Mar 31 12:28:51 UTC 2010 

Hi everyone,

I have a really weird occasional DNSSEC validation error with the DENIC 
DNSSEC testbed.

My private server, running Debian testing, Unbound 1.4.3-1, libldns1 
1.6.4-4, amd64 platform. Used to be the same on Unbound 1.4.0 with ldns 
1.6.0, I haven't tested earlier versions. Configuration:

server:
	verbosity: 1
	extended-statistics: yes
	interface-automatic: yes
	dlv-anchor-file: "dlv.isc.org.key"
	trust-anchor-file: "trust-anchor.key"
	val-log-level: 1
remote-control:
	control-enable: yes
stub-zone:
         name: "de"
	stub-addr: 81.91.161.228	# auth-fra.dnssec.denic.de
	stub-addr: 2A02:568:0:1::53
	stub-addr: 87.233.175.25	# auth-ams.dnssec.denic.de
	stub-prime: no

trust-anchor.key is the one from
https://www.secure.denic.de/fileadmin/Domains/DNSSEC/de-trust-anchor.txt .

It occasionally happens after about one to two weeks of uptime that I 
cannot query any .de domain anymore. All of the sudden the log is full 
of validation errors

Mar 30 16:29:40 svr01 unbound: [1315:0] info: validation failure 
<ecm1._domainkey.newsletter.postbank.de. TXT IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<postbank.de. NS IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<bounce.newsletter.postbank.de. MX IN>
Mar 30 16:29:43 svr01 unbound: [1315:0] info: validation failure 
<bounce.newsletter.postbank.de. A IN>

(for all domains in .de). Usually I just restart unbound and the problem 
goes away. This time I wanted to collect additional information and did 
not restart the daemon, but the problem went away on its own.

Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure 
<svr02.teleport-iabg.de. A IN>
Mar 30 21:20:44 svr01 unbound: [1315:0] info: validation failure 
<svr02.teleport-iabg.de. AAAA IN>

and nothing more. Occasionally I also have messages like

Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust 
anchor -- DNSKEY rrset is not secure <de. DNSKEY IN>
Mar 30 21:06:10 svr01 last message repeated 2 times
Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust 
anchor -- could not fetch DNSKEY rrset <de. DNSKEY IN>
Mar 30 21:06:10 svr01 last message repeated 2 times

The process has been running untouched since March 21st.

I raised this on the DENIC ml. Peter Koch told me that he sees queries 
from my IP address without the OPT-RR (so no EDNS and no DO) during that 
timeframe. Which would of course mean that Unbound would not get any 
DNSSEC records, so complaining is a good plan indeed.

Has anyone seen this behaviour before? Is there any particular debug 
command you want me to run the next time this happens? I am running 
multiple unbound installations, all of them with DLV, some of them with 
IANA ITAR, but this is the only one running the signed .de zone.

Best Regards,
Bernhard

More information about the Unbound-users mailing list