[Unbound-users] Possible bug: bogus validation result on non-existence proofs when asking for DS records (unbound 1.4.16)
Ondrej Mikle
ondrej.mikle at nic.cz
Fri Apr 27 12:48:14 UTC 2012
Hi,
I've run into a strange result when querying for DS RRs (e.g. for
zone.nic.cz). The output of the attached script is:
Unbound version: 1.4.16
fqdn: nic.cz, status: 0, secure: 1, bogus: 0, why_bogus: None
fqdn: zone.nic.cz, status: 0, secure: 0, bogus: 1, why_bogus: validation
failure <zone.nic.cz. DS IN>: nodata proof failed from 2001:678:f::1
fqdn: www.nic.cz, status: 0, secure: 0, bogus: 1, why_bogus: validation
failure <www.nic.cz. DS IN>: nodata proof failed from 2001:678:1::1
fqdn: xn--mgbh0fb.xn--kgbechtv, status: 0, secure: 0, bogus: 1,
why_bogus: validation failure <xn--mgbh0fb.xn--kgbechtv. DS IN>: nodata
proof failed from 2001:648:2c30::1:10
The above queries via dig are OK.
Though if I query unbound running locally, I get always SERVFAIL (tried
on two machines, one had unbound 1.4.16 from distribution, the other
I've compiled from source).
Am I missing something or is it a bug?
Ondrej
-------------- next part --------------
#!/usr/bin/env python
from unbound import ub_ctx, ub_version, RR_TYPE_DS
print "Unbound version:", ub_version()
u = ub_ctx()
u.add_ta(". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5")
#u.resolvconf("/etc/resolv.conf")
for fqdn in ("nic.cz", "zone.nic.cz", "www.nic.cz", "xn--mgbh0fb.xn--kgbechtv"):
s, r = u.resolve(fqdn, RR_TYPE_DS)
print "fqdn: %s, status: %s, secure: %s, bogus: %s, why_bogus: %s" % \
(fqdn, s, r.secure, r.bogus, r.why_bogus)
More information about the Unbound-users
mailing list