[Unbound-users] DNSSEC problems
David Benfell
benfell at parts-unknown.org
Mon Jun 11 19:12:45 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Leen,
On 06/11/12 00:23, Leen Besselink wrote:
>
> Anyway, I think Jan-Piet Mens is on the right track. Please remove
> the forward-zone for '.' as a test. My guess is, it would start
> working.
I have now done this--and removed the local-zone for 127.x.x.x that he
suggested--and it does appear to be running better. For one thing,
root.key now contains:
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1339440774 ;;Mon Jun 11 11:52:54 2012
;;last_success: 1339440774 ;;Mon Jun 11 11:52:54 2012
;;next_probe_time: 1339483628 ;;Mon Jun 11 23:47:08 2012
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1339440774 ;;Mon Jun 11 11:52:54 2012
We actually got an update. And I am no longer seeing the error
messages I previously reported. However, sanity check results are mixed:
atlanta# dig org. SOA +dnssec
; <<>> DiG 9.9.1-P1 <<>> org. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8196
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
2010096315 1800 900 604800 86400
org. 900 IN RRSIG SOA 7 1 900 20120702190513 20120611180513 12189
org. bjSHMmeSeK6QE/XIHf4z/RVoJYrGnkEtyqzDiGeIeEMz0s71E/jraFj6
wElwbNFhiEs37gyyHZoYoojrLWyQsE3UC7qHRbMVCZKCG1qN19pRMeBw
eyCjqFSwcXavf+r3AZXCkQCRYqGygis4Zrki41eNrtpmkcxgP4J2WuJZ gek=
;; AUTHORITY SECTION:
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN RRSIG NS 7 1 86400 20120630155122 20120609145122 12189
org. Mh1C3+D1bMreN+SWCCumO/8OMi3SmwOquclqtmdFQA6CmTRikj8y6mfX
WFjLie6eT/oT4pSZglctE5tL3xQM+xSpG/JxmwTWtrdoWyvCXtJTY+vr
gr16QNIgoLGaofSRRWoQyt+QFO+kTSV8GtjzOf7fYg+DrdbXZkut/xbV bYE=
;; Query time: 19 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 12:05:34 2012
;; MSG SIZE rcvd: 536
atlanta# dig test.dnssec-or-not.net TXT
; <<>> DiG 9.9.1-P1 <<>> test.dnssec-or-not.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51755
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dnssec-or-not.net. IN TXT
;; Query time: 1401 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 12:06:22 2012
;; MSG SIZE rcvd: 51
atlanta#
It looks like test.dnssec-or-not.net isn't working at all. And lynx on
http://dnssectest.sidn.nl/ reports that no form action is defined.
Trying http://dnssectest.sidn.nl/ from my home system (which should be
using the unbound) simply states that this test is taking unusually
long and never domes back with anything else.
>
> It is always easier to test small parts first.
>
> What is on the other side of dnscrypt ? OpenDNS ?
Oh, my. :facepalm
I think my intent was to connect to OpenDNS. But at the moment, I'm
failing to find where I've configured this. All I see at the moment is,
atlanta# cat /etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
> Well, OpenDNS does not support DNSSEC.
I'll have to look into this separately.
Thanks!
- --
David Benfell
benfell at parts-unknown.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP1kMtAAoJELT202JKF+xpVvwP/1FaVhWIN84aBRyAMrwxwSJW
QItlhtcV4kZmYtP5llWWZKA7G3VT+wlolEEiB63i9wParzr3s49fMCUoYDTvjbzX
aavR9fapznndbnikMPeXmNq0DuWiXm7fP9kedElQUsxOeeU4xApx+KpAu84mwD6F
TkgfKCMu9BCkxf5zi62o01/OwjNGQjHofz+WjPSEHjM/bga+eQke/mv8p6kBVJk0
9zxuXH+p1E+L/GHulk/NsC8AW/wdAOzPak/fWqmgXMf2MznzRqvnMlWirLUEjGsG
d4GKCY59vLEQbdhdbB4RuMvikKO2IvbYTy1RpNQxvM7TWv8HItMFY74Ie2I4APz3
8f63fOTa9Glu8Tonh36NHw88NdgGgfsjApZ2AIGzpwVn+YfGhSodcXtuRAAChCRR
sBLUEJUOGiA0SyumwEP7lN5vZQ97sCtlHpGOE3jCQ2NFcm0Z+AAc9DzL/o7XGLqt
26YFXVmqUsO1nTDmvejvFFZySF+Hhx9jxmfTrFX63eOTK40GiVA59wWYY99H8X56
WkZlUUhF6fVVIVg92A0H65xu+sUjMCUYYTDkLwlPqc81MaQjy1pT9dDicWqWg1vL
QtH9pSPKuNos/xV4N5CTvMmUIXdT5rBOwA9/XdsS2k9duOvur3PjhXMsO4boX6nO
z1/9v8YCpKORfkUUeQQl
=5f3x
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list