[Unbound-users] unbound failed when validating
Cathy Zhang
zhangclcathy at gmail.com
Tue Jul 12 09:40:54 UTC 2011
hi Wouter,
thanks a lot for your answer. but i can get the following response
from bind recursor:
there is 'ad' flag. so i wonder whether the validation should be
'pass' or 'failed'.
-----------------------------------------------
dig foo.dname2.example. any @10.53.0.4 +dnssec
; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.dname2.example. IN ANY
;; ANSWER SECTION:
dname2.example. 81 IN DNAME dname2-target.example.
dname2.example. 81 IN RRSIG DNAME 3 2 300
20110811002909 20110712002909 41604 example.
BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
foo.dname2.example. 81 IN CNAME foo.dname2-target.example.
foo.dname2-target.example. 3381 IN RRSIG NSEC 3 3 3600
20110811002909 20110712002909 41604 example.
BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
foo.dname2-target.example. 3381 IN NSEC dynamic.example. TXT RRSIG NSEC
foo.dname2-target.example. 81 IN RRSIG TXT 3 3 300
20110811002909 20110712002909 41604 example.
BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
foo.dname2-target.example. 81 IN TXT "testing dname"
;; Query time: 1 msec
;; SERVER: 10.53.0.4#53(10.53.0.4)
;; WHEN: Tue Jul 12 17:30:06 2011
;; MSG SIZE rcvd: 403
2011/7/12, W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Cathy,
>
> Unbound follows the DNAME when answering the ANY query, like Luo Ce has
> reported. But, in this case, it is confused by the unsigned target and
> thus unsigned data that appears in the ANY response.
>
> There are two roads to solution. Unbound can stop following CNAME and
> DNAME if the qtype is ANY. Unbound can learn that ANY responses may
> contain CNAME and DNAME and thus also target zone contents and validate
> that.
>
> Best regards,
> Wouter
>
>
> On 07/12/2011 04:45 AM, Cathy Zhang wrote:
>> unbound responds with status SERVFAIL for request 'dig
>> foo.dname2.example. any +dnssec'. I think it means unbound failed to
>> validate the data and i found such statements in log:
>> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
>> TYPE0 CLASS0>
>> would it be 'example' the signer instead of 'foo.dname2.example'?
>>
>> here is the response for request with cd bit set
>> $ dig foo.dname2.example. any @10.53.0.8 +cdflag
>>
>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;foo.dname2.example. IN ANY
>>
>> ;; ANSWER SECTION:
>> dname2.example. 300 IN DNAME dname2-target.example.
>> dname2.example. 300 IN RRSIG DNAME 3 2 300
>> 20110811002909 20110712002909 41604 example.
>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
>> foo.dname2.example. 0 IN CNAME foo.dname2-target.example.
>> foo.dname2-target.example. 300 IN TXT "testing dname"
>> foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300
>> 20110811002909 20110712002909 41604 example.
>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
>> foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG
>> NSEC
>> foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600
>> 20110811002909 20110712002909 41604 example.
>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
>>
>> ;; AUTHORITY SECTION:
>> example. 300 IN NS ns2.example.
>> example. 300 IN NS ns3.example.
>>
>> ;; ADDITIONAL SECTION:
>> ns2.example. 300 IN A 10.53.0.2
>> ns3.example. 300 IN A 10.53.0.3
>>
>> ;; Query time: 92 msec
>> ;; SERVER: 10.53.0.8#53(10.53.0.8)
>> ;; WHEN: Tue Jul 12 09:38:11 2011
>> ;; MSG SIZE rcvd: 474
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJOG/OkAAoJEJ9vHC1+BF+NK5UQAKC+N5cLRrf8i/ZRSkfQntb9
> Oq8FSHzp3Hz+vBW10Q0HRxp3T6paCvEu/5eqYqlCiJJdUFPTk4icG3wOBOH7zXyj
> rI95P9n4V1gEfUxg10gK1IlLFD8jgN485zhZdQS07Zs8FJjsUqHjpLITo4qO445v
> q4BRWbm4ttMbyTOAxw/dh9g41QrpqsEYPdEGcMmtDCEltTpuD8xJB+GGO/3j/V1A
> G7sm73vm0J1K8c0DW5/3Dztr/+nGTDUynNL+tvWwBOliZYHch3k4U5rE7rcuxSH0
> s0r//PbKAkU2hXh1tsStnKzq2eUCHo9dxIQhHte60otvmsoshHjY4yjtMiIFi2pp
> G0pVD4+uEphuHuCdWq8LmP6h0bkx4v6m4I9oMp2DGCXA5AFkhVHBmrxTXvTaPYY6
> h0eobzhiSqklyUlPeZklW/OYsrjJ3leGxXZiJE1pq0SDQX8Lt8z5QudCjDWhA01T
> v6CIZCp7mtW1bFATgVPUA+cKLAhjdAaea0z63VEFVT5WxsAhsdaW0Z04zRrZTAxb
> OKkEfekuCq9Rgo4JRtcgHBppuBWAhHr5zCD7TT9kOk7J9QZb4OkLclnC2xQxJJip
> NSvZ4FCYxsQuDt2QHkRcDyBgknll6jPFnFQKKpksP946yy9VZCCLuMJtqQBGS0C7
> D2KKFScj1x0hhOG24eA/
> =0D3H
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
More information about the Unbound-users
mailing list