[Unbound-users] Unbound dropping RRSIGs from zone?
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Sat Dec 24 11:24:55 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Rob,
On 12/21/2011 03:28 PM, Rob Gallagher wrote:
> Hi all,
>
> I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a
> signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS
> records are published to the parent yet).
Try updating to 1.4.14, apart from the vuln patch there have been a
number of fixes inthe meantime with handling EDNS-timeouts and
fragmentation issues. You perhaps have such fragmentation issues.
It is also a good idea to perform the oarc edns reply size test, see if
packets larger than 1500 go there, fix you old routers, firewalls to
handle UDP fragments (the upgrade may workaround it, but this will fix
it and make your nameservers run better (EDNS larger sizes work)).
Best regards,
Wouter
> A nagios plugin had been regularly alarming that the zone was
> unsigned, and indeed when I queried the Unbound resolver that our
> monitoring server uses the RRSIG had been stripped out of the reply:
>
> --------8<--------
>
>>> dig @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
>
> ; <<>> DiG 9.7.3 <<>> @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42217
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA
>
> ;; ANSWER SECTION:
> 0.7.7.0.1.0.0.2.ip6.arpa. 814 IN SOA ns.heanet.ie.
> hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600
>
> --------8<--------
>
> An identical resolver returns the correct record however:
>
> --------8<--------
>
>>> dig @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
>
> ; <<>> DiG 9.7.3 <<>> @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47300
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA
>
> ;; ANSWER SECTION:
> 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN SOA ns.heanet.ie.
> hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600
> 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN RRSIG SOA 8 10
> 3600 20111226202852 20111220000932 45295 0.7.7.0.1.0.0.2.ip6.arpa.
> BWYHZQK8cxu71ysSVKeUAQobe270QWIm4zwXFloBZy8VkvH3OCQdskoB
> Xu6Ff7Hql8qi85y7yoAIMofDLLtPfBue1QLIYPT/ioBM81XYJqLJOHwd
> gqUUoaR1hufB0ewiCO04QwY2Mq985VzsZyAQ4n+E1OiuRqpvUOCEBoDh uYk=
>
> --------8<--------
>
> Manually flushing the record, restarting unbound, or waiting for the
> TTL to expire causes the resolver to re-fetch the missing RRSIGs and
> things continue as normal, but the problem seems to re-appear every
> couple of days according to the nagios plugin logs.
>
> Nothing obvious turns up in the logs on the resolver, at verbosity 2 at
> least, should I increase the verbosity to something noisier?
>
> rg
>
>
>
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO9baHAAoJEJ9vHC1+BF+NMfEP/2ACDWrJCZmOAhzY4AvEL/zw
zSaDoBaSoYt5zOIyFHvHDWQGRSdcwjEwuuHm6zggtRjKlug6pG2Y2LST/20j6zlh
bKXDD1/vISCOQL5V+qW5J+p31mGjBJ0uSo7ZfJPlp8iZEna4NBJKVrhsKECj1yy/
C9MjdGnssnI+/cwn8YFVMhzeFtXOyGIT/4bQXrvqcQZzr4nxz+F228cEHnFce/Nw
B9hEn+8aASmmBoYlXjEWDsGllt7Zo2Nsdkb6M7EnLlRJz6HlzpWU0LVLyXyarrqr
vWcJctf0i+IPF/d3C6JCPYM9FXZtACrjDFoQOXGkEKWss1OhvbgbKVSP3E4M83Kh
+MxONjOMeHDPKlaOKMHiUA+W0wjnQVcOFuAR3Z/spgpyGJ2+fZelwBX6ftqDo1SA
b6dHupT3tSx3WV9y/NeyNPjlnsWHDnsQLN9jDfLgg2rPJCijMO5kx+M8DWxRO7+T
Mw7UoXYz+PsNTb5S7ZQb3zX3D1DZ411q8qB87+W6m98u8NsvcJUOdPMif1JzZca3
hRzSyB5nvW9yQwmkeAMr1ypNJKlwMokwJhSKpe1gMABxyBueb+7LrG+6wntRu33Z
rx3QU4Tej7UgR3tVHLIc48BVbqgI7cQXlLRKjZ+LgyyZYeFuRNZgwz4oKS5VLPIy
9sB6vbLgL259Uc1n5l/t
=4nTw
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list