[Unbound-users] NXDOMAN vs SERVFAIL ?

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed Mar 9 07:16:28 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I do not understand where the NXDOMAIN part happens in this story.

If I look at compro.net, it gives me the failure that you describe.

What happens is that 3 of its 4 servers are DNSSEC_LAME (not with a
signed zone).  The last server gives timeouts.  Unbound tries to contact
that server for several seconds (because it is the only option for
signatures), and when it gives up, you get servfail.

Best regards,
   Wouter

On 03/09/2011 12:20 AM, Paul Wouters wrote:
> 
> I am getting an NXDOMAIN from unbound 1.4.8 on compro.net.
> 
> 
>  39.580: compro.net INFO Begin testing DNSSEC for compro.net.
>  39.861: compro.net INFO Found DS record for compro.net at parent.
>  44.869: compro.net NOTICE DNS lookup error (connection failed).
>  45.358: compro.net INFO Servers for compro.net have consistent extra
> processing status.
>  45.358: compro.net INFO Did not find DNSKEY record for compro.net at
> child.
>  45.358: compro.net ERROR Inconsistent security for compro.net - DS
> found at parent, but no DNSKEY found at child.
>  45.358: compro.net INFO Done testing DNSSEC for compro.net.
>  45.358: compro.net INFO Test completed for zone compro.net.
> 
> bind 9.8.0 is giving a ServFail as I expected.
> 
> The DS record looks like:
> 
> compro.net.        86332    IN    DS    2211 3 1
> 1234567890123456789012345678901234567890
> 
> I could not get the DS from unbound either......
> 
> Note the hash is obviously fake.
> 
> unbound-host takes over 30secs to respond, as does unbound as deamon:
> 
> -bash-3.2# unbound-host -v compro.net. -C /etc/unbound/unbound.conf
> Mar 08 18:07:08 libunbound[31511:0] notice: init module 0: validator
> Mar 08 18:07:08 libunbound[31511:0] notice: init module 1: iterator
> compro.net. has address 173.201.14.242 (BOGUS (security failure))
> validation failure <compro.net. A IN>: No DNSKEY record from
> 208.109.255.1 for key compro.net. while building chain of trust
> compro.net. has no IPv6 address (BOGUS (security failure))
> validation failure <compro.net. AAAA IN>: key for validation compro.net.
> is marked as invalid because of a previous validation failure
> <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key
> compro.net. while building chain of trust
> 
> 
> compro.net. mail is handled by 10 mx2.compro.net. (BOGUS (security
> failure))
> validation failure <compro.net. MX IN>: key for validation compro.net.
> is marked as invalid because of a previous validation failure
> <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key
> compro.net. while building chain of trust
> 
> After a little while, or due to me querying and caching something, unbound
> started giving me servfails. Though when querying with the +cd I still got
> no data:
> 
> [paul at bofh ~]$ dig +dnssec +cd  compro.net @193.110.157.136
> 
> ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec +cd compro.net
> @193.110.157.136
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60322
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;compro.net.            IN    A
> 
> ;; Query time: 109 msec
> ;; SERVER: 193.110.157.136#53(193.110.157.136)
> ;; WHEN: Tue Mar  8 18:12:13 2011
> ;; MSG SIZE  rcvd: 39
> 
> Paul
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk13KUwACgkQkDLqNwOhpPgqEgCdG2ADerHJ4o2TFEiTKiUdPDQM
E0kAnR7bNNminjAfoGV28krs0u/mdY6k
=TG/q
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list