[Unbound-users] Issue in DNSSEC
Jan Komissar (jkomissa)
jkomissa at cisco.com
Fri May 20 18:43:11 UTC 2011
Hi Cyril,
It looks like your version of dig is very old. The TYPE46 RR is actually
an RRSIG. Since dig doesn't recognize that, it may not recognize the AD
flag either.
Jan.
From: unbound-users-bounces at NLnetLabs.nl
[mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of Cyril Benedict
Sent: Friday, May 20, 2011 1:51 PM
To: unbound-users
Subject: [Unbound-users] Issue in DNSSEC
Hi All,
I am new to unbound DNS. I have installed unbound DNS in windows
machine. Normal queries were working fine without DNSSEC. But, when I
tried to enable DNSSEC and validate the queries, its not working. I
expect the flag AD bit to set in my response. Here below is my
unbound.conf file,
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
verbosity: 1
statistics-interval: 30
num-threads: 1
interface: 0.0.0.0
# enable cumulative statistics, without clearing them after
printing.
statistics-cumulative: yes
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
extended-statistics: yes
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 16m
rrset-cache-size: 32m
msg-cache-slabs: 4
rrset-cache-slabs: 4
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
infra-cache-numhosts: 10000
infra-cache-lame-size: 10k
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 allow
access-control: 192.168.1.0/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
#access-control: 0.0.0.0/0 refuse
#chroot: "/etc/unbound"
#username: "unbound"
#directory: "/etc/unbound"
logfile: "C:\unbound.log"
#use-syslog: yes
#logfile: ""
#use-syslog: no
#pidfile: "/etc/unbound/unbound.pid"
root-hints: "C:\Program Files\Unbound\named.cache"
server: auto-trust-anchor-file: "C:\Program
Files\Unbound\root.key"
server: dlv-anchor-file: "C:\Program
Files\Unbound\dlv.isc.org.key"
val-log-level: 2
# File with trusted keys for validation. Specify more than one
file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
#trust-anchor-file: ""
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a
trustanchor).
# Default on, which insists on dnssec data for trust-anchored
zones.
harden-dnssec-stripped: yes
identity: "DNS"
version: "1.4"
hide-identity: yes
hide-version: yes
harden-glue: no
do-not-query-address: 127.0.0.1/8
do-not-query-localhost: yes
module-config: "validator iterator"
-----------------------------------
When i ran the dig, I got the below output,
C:\dig>dig com. SOA +dnssec +multiline
; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com. IN SOA
;; ANSWER SECTION:
com. 878 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. (
1305905047 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
com. 878 IN TYPE46 \# 151 (
00060801000003844DDFC2174DD6772F8
F6903636F6D
00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1
34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38
24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4
E6059621CF5F23AA3922120B2DA8351C7B64E682632F
33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1
3EBBED00281030ECEB97A331ECC0802DF9D889 )
;; AUTHORITY SECTION:
com. 172778 IN NS a.gtld-servers.net.
com. 172778 IN NS c.gtld-servers.net.
com. 172778 IN NS j.gtld-servers.net.
com. 172778 IN NS m.gtld-servers.net.
com. 172778 IN NS l.gtld-servers.net.
com. 172778 IN NS d.gtld-servers.net.
com. 172778 IN NS b.gtld-servers.net.
com. 172778 IN NS e.gtld-servers.net.
com. 172778 IN NS f.gtld-servers.net.
com. 172778 IN NS k.gtld-servers.net.
com. 172778 IN NS i.gtld-servers.net.
com. 172778 IN NS g.gtld-servers.net.
com. 172778 IN NS h.gtld-servers.net.
com. 172778 IN TYPE46 \# 151 (
000208010002A3004DDB30F54DD1E6
0D8F6903636F6D
0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0
3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F
18D64BF478942AA5436AABF08D66342720D103B292A4
D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8
2BC6A27C67E280A1836FB869850194F851CF53A1D7EB
F238FA9705E052D80311D0C31AE491255BCBB3 )
;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 20 20:54:59 2011
;; MSG SIZE rcvd: 637
My root.key file is below after updating the file using unbound-anchor,
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011
;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011
;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 XXXXXXXXXXXXXXXXXX
Please advice me for any documentation which will help me to resolve the
issue. It will be greatful, if someone point out the problem. Thanks in
advance.
Thanks,
Cyril.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20110520/7ebc4e61/attachment.htm>
More information about the Unbound-users
mailing list