[Unbound-users] unbound failed when validating
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Jul 12 10:21:16 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Cathy,
That message is in error (just like Unbound, but wrong the other way).
Because the TXT record is not signed, the result should have been sent
without the AD flag. (CNAME sequence from signed to unsigned zone
becomes insecure). Something that could well be reported to the ISC people.
Best regards,
Wouter
On 07/12/2011 11:40 AM, Cathy Zhang wrote:
> hi Wouter,
> thanks a lot for your answer. but i can get the following response
> from bind recursor:
> there is 'ad' flag. so i wonder whether the validation should be
> 'pass' or 'failed'.
> -----------------------------------------------
> dig foo.dname2.example. any @10.53.0.4 +dnssec
>
> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.dname2.example. IN ANY
>
> ;; ANSWER SECTION:
> dname2.example. 81 IN DNAME dname2-target.example.
> dname2.example. 81 IN RRSIG DNAME 3 2 300
> 20110811002909 20110712002909 41604 example.
> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
> foo.dname2.example. 81 IN CNAME foo.dname2-target.example.
> foo.dname2-target.example. 3381 IN RRSIG NSEC 3 3 3600
> 20110811002909 20110712002909 41604 example.
> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
> foo.dname2-target.example. 3381 IN NSEC dynamic.example. TXT RRSIG NSEC
> foo.dname2-target.example. 81 IN RRSIG TXT 3 3 300
> 20110811002909 20110712002909 41604 example.
> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
> foo.dname2-target.example. 81 IN TXT "testing dname"
>
> ;; Query time: 1 msec
> ;; SERVER: 10.53.0.4#53(10.53.0.4)
> ;; WHEN: Tue Jul 12 17:30:06 2011
> ;; MSG SIZE rcvd: 403
>
>
> 2011/7/12, W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
> Hi Cathy,
>
> Unbound follows the DNAME when answering the ANY query, like Luo Ce has
> reported. But, in this case, it is confused by the unsigned target and
> thus unsigned data that appears in the ANY response.
>
> There are two roads to solution. Unbound can stop following CNAME and
> DNAME if the qtype is ANY. Unbound can learn that ANY responses may
> contain CNAME and DNAME and thus also target zone contents and validate
> that.
>
> Best regards,
> Wouter
>
>
> On 07/12/2011 04:45 AM, Cathy Zhang wrote:
>>>> unbound responds with status SERVFAIL for request 'dig
>>>> foo.dname2.example. any +dnssec'. I think it means unbound failed to
>>>> validate the data and i found such statements in log:
>>>> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
>>>> TYPE0 CLASS0>
>>>> would it be 'example' the signer instead of 'foo.dname2.example'?
>>>>
>>>> here is the response for request with cd bit set
>>>> $ dig foo.dname2.example. any @10.53.0.8 +cdflag
>>>>
>>>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
>>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;foo.dname2.example. IN ANY
>>>>
>>>> ;; ANSWER SECTION:
>>>> dname2.example. 300 IN DNAME dname2-target.example.
>>>> dname2.example. 300 IN RRSIG DNAME 3 2 300
>>>> 20110811002909 20110712002909 41604 example.
>>>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
>>>> foo.dname2.example. 0 IN CNAME foo.dname2-target.example.
>>>> foo.dname2-target.example. 300 IN TXT "testing dname"
>>>> foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300
>>>> 20110811002909 20110712002909 41604 example.
>>>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
>>>> foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG
>>>> NSEC
>>>> foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600
>>>> 20110811002909 20110712002909 41604 example.
>>>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> example. 300 IN NS ns2.example.
>>>> example. 300 IN NS ns3.example.
>>>>
>>>> ;; ADDITIONAL SECTION:
>>>> ns2.example. 300 IN A 10.53.0.2
>>>> ns3.example. 300 IN A 10.53.0.3
>>>>
>>>> ;; Query time: 92 msec
>>>> ;; SERVER: 10.53.0.8#53(10.53.0.8)
>>>> ;; WHEN: Tue Jul 12 09:38:11 2011
>>>> ;; MSG SIZE rcvd: 474
>>>> _______________________________________________
>>>> Unbound-users mailing list
>>>> Unbound-users at unbound.net
>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOHCAbAAoJEJ9vHC1+BF+NXKkQAIKsMWSKKJ8F+nuTFN1dSeAK
YyOdzPy6jMBY1I64gCw10VikHeFZbtrJ7raqZOjiUixJ3/IrVwnjdctYxV+/uxwM
WHIyMMBUnlnIizW2wJVw91yzl/JE8e79OPmVj2Sxo2q86+cEBL72aCsJzXbQHGW+
tNGHOqlznc6JURyAr1QokT6r5A90vDWe7Q/u9/3rUOvCYzaet4TOgZW1iOU945r3
QTXmHkxvYmoDc60eetFX3zH6CNJCgwt6zyeoA2NYMqYrWLO8Z3DcfrGhKUPqZmem
9VyjZM0RoiT3VdLT/bDtK2Rzb9laS3CBiuphJ9AVKYZvSviHhRc6folIlgalGsVt
KHACrYWslgvJCVQiDzDxuiEPjHujXWKzn6HFYedyoMZLdYjLRmQ1c4f2LWK3+Tfb
YyC5oFAPq6MMPgKpLNrxcTGZdDrzFOajmcX68JBB5qyTN/HMMTqka3bwFDDp24a/
/aV9PZmFwsru5vPB4FHwxp3a92Dj8DG6l78KYu4AFsMtb6+yR3NTdIp81idY0zeP
jg4ngMblOzdlZQvXI8NiB0I7+6XLyk+fVcViygXjef60mOXdlrHfhXv1+u8Xbo5Z
92aMSH2351zEKNt43Nf+75hmoJkYZnShfdC+kIazy2pTx+ZRjgq7gdLrmsr+BFxY
Y1gDiwEHpQBnSLPwFvf7
=aaJB
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list