[Unbound-users] DNSSEC mismatch between Bind 9.7 and Unbound
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Fri Nov 5 15:01:35 UTC 2010
Hello
today we got this one:
Nov 4 15:51:34 mailer unbound: [17795:1] info: validation failure
<lipsofsuna.org. A IN>: DS got unsigned CNAME answer from 10.5.0.3 and
10.5.0.3 for DS lipsofsuna.org. while building chain of trust
Unbound (127.0.0.1) point of view:
; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29562
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A
; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59237
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A
;; ANSWER SECTION:
lipsofsuna.org. 529 IN CNAME vhost.sourceforge.net.
vhost.sourceforge.net. 1214 IN A 216.34.181.97
;; AUTHORITY SECTION:
sourceforge.net. 61634 IN NS ns-1.sourceforge.com.
sourceforge.net. 61634 IN NS ns-1.ch3.sourceforge.com.
sourceforge.net. 61634 IN NS ns-2.ch3.sourceforge.com.
; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6632
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN DS
;; ANSWER SECTION:
lipsofsuna.org. 504 IN CNAME vhost.sourceforge.net.
;; AUTHORITY SECTION:
sourceforge.net. 120 IN SOA ns-1.ch3.sourceforge.com.
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600
and Bind 9.7 (10.5.0.3) point of view
; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A
;; ANSWER SECTION:
lipsofsuna.org. 485 IN CNAME vhost.sourceforge.net.
vhost.sourceforge.net. 2285 IN A 216.34.181.97
;; AUTHORITY SECTION:
sourceforge.net. 61590 IN NS ns-1.sourceforge.com.
sourceforge.net. 61590 IN NS ns-2.ch3.sourceforge.com.
sourceforge.net. 61590 IN NS ns-1.ch3.sourceforge.com.
; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32497
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN DS
;; ANSWER SECTION:
lipsofsuna.org. 468 IN CNAME vhost.sourceforge.net.
;; AUTHORITY SECTION:
sourceforge.net. 84 IN SOA ns-1.ch3.sourceforge.com.
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600
Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder.
Where is the problem so unbound does not validate it?
Many Thanks
Andreas
More information about the Unbound-users
mailing list