[Unbound-users] Expired RRSIGs, yet still "AD" flag set
Hauke Lampe
lampe at hauke-lampe.de
Wed Mar 30 11:54:44 UTC 2011
Hi.
I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
flag in responses. The records have a TTL of 2 days, so I think the
signatures expired while in the cache and Unbound did not revalidate
them before handing out the answer.
I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
permitted by the standard or is it a bug in Unbound?
Installed version is svn rev. 2406.
> ; <<>> DiG 9.8.0rc1 <<>> +dnssec mixmaster.mixmin.net mx @10.42.22.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13580
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65432
> ;; QUESTION SECTION:
> ;mixmaster.mixmin.net. IN MX
>
> ;; ANSWER SECTION:
> mixmaster.mixmin.net. 18287 IN MX 10 snorky.mixmin.net.
> mixmaster.mixmin.net. 18287 IN RRSIG MX 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. xIOOe273z9oJb6EM4l0/KzqrYYXUHUbQRP89U1GMjyJ/hYdNhRZGzCj2 RcRx21v3hjL+1F9KCc280MqXUo6FGKUBC4ZQ09geQ5dkHEesXi8Cwoo1 QcETDvSmTR3/PN0Bz/Ho77m/+7DgrV6dRexABBpTWNYio+OBO8kCR1+y iq0=
>
> ;; AUTHORITY SECTION:
> mixmin.net. 16906 IN NS asteria.debian.or.at.
> mixmin.net. 16906 IN NS snorky.mixmin.net.
> mixmin.net. 16906 IN NS fleegle.mixmin.net.
> mixmin.net. 16906 IN RRSIG NS 5 2 172800 20110328161855 20110226161855 58161 mixmin.net. ezh+yZwfiaI7D9j0m5cV2nhVb7SLPpx3OJymq7GyjT/q3foKCBTUNq5A CqQP5c/ewSenV2uFeDVhQLaeldT6O6Sv+V+Wa+OU7Xc6qFE4IXjM4+Uv DjUhk+e/kV81Gh+I3Z5AvmQ9/H5dTCno6HBp/lzoDj/iU11tcWw3cnK+ K2w=
>
> ;; ADDITIONAL SECTION:
> snorky.mixmin.net. 16906 IN A 188.40.76.149
> snorky.mixmin.net. 16906 IN AAAA 2a01:4f8:100:5243::3
> fleegle.mixmin.net. 16906 IN A 82.133.6.118
> fleegle.mixmin.net. 16906 IN AAAA 2002:5285:676::1
> snorky.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5+XnM1ATswU8jCbVfEv8YXGbJV2XPH3bbLmNwHCe5Kr+WmMTZ4T/+udL 8fwh/TxDnEDTj5/MZOC5C/7z1/FbPwzkBU5sYWezLnCNrq7IyWr7WlHe nZBu47J48xQuTz1Ag74mCIBUNfEvZ72TPnjEr5X+O1wDfSfcCFOP4nYB sJE=
> snorky.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. y5a5ai11w1lERhTwlXGj8pcACFSuvcQcKokFHQ/fVBO5b30BKRs2rQ6P n37RO0p9WfcXgYg3Exhv6ae9FyPfbAjHwmGFCr/wl5MJN1s24DG9aj2b L/Rf+AK+Vunyjg4GXYLBZVaC59CZNef/gXlSFquh9RKKwcjVMI8/HM0j JYQ=
> fleegle.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5aglAu0Q61hTr+8lpJk2zWt6XJ9U7sO2Vl6tktDTh4ywr3JR/CrbnzRS jeOO0ZOPopXenSUayQ7t5q7LP2wD2giP9YSWsrFXZBZ0a2po5vkxCsCg aY6LKNPK6tXV2uuZWw0s4XOwC0y7HZ6W2j8atovfVrghtx8Tn0gkL7V0 uVA=
> fleegle.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. XZWrf/dDj1RgG3cAXBB2oTKgi0tqAkJf4q8lNc0l2i/eqSYiaZAEHEgC RmRVG4W+GmSrb5vp49NCATcCFDe/vmHH9TlN60hQVFkdj6P3i8t/2TxC M9EUtCeX0prPCNuZpJeLYBuXU03hFEnyUag3td6mgW9pCSGaW4c3nxR5 tZo=
>
> ;; Query time: 25 msec
> ;; SERVER: 10.42.22.8#53(10.42.22.8)
> ;; WHEN: Wed Mar 30 13:39:12 2011
> ;; MSG SIZE rcvd: 1250
Hauke.
More information about the Unbound-users
mailing list