[Unbound-users] Help troubleshooting validation failures on ca.gov domains.
Olafur Gudmundsson
ogud at ogud.com
Thu Mar 22 02:53:19 UTC 2012
On 21/03/2012 20:24, Augie Schwer wrote:
> If anyone could help shed some light on why I'm seeing validation
> failures for the ca.gov domain I would really appreciate it.
>
> Unbound 1.4.16 -- started seeing these in the logs:
>
> Mar 21 14:52:23 a unbound: [7326:0] info: validation failure
> <www.ca.gov. A IN>: signatures from unknown keys from 134.186.254.247
>
> The domain validates fine using http://dnsviz.net/d/ca.gov/dnssec/
>
> And 'drill' on the same box validates the domain just fine, details
> down below for clarity.
>
> I've enabled "val-permissive-mode", so that I can continue to see
> errors, but don't have to pull the server out of the pool.
>
> Again, any help in figuring out what is going on would be greatly appreciated.
>
The first thing that jumps out is the domain is using 2 different DNSKEY
algorithms this increases possiblity of mistakes.
ALG 7 is in the record in parent with corresponding DNSKEY record
signing the DNSKEY, but the key for algorithm 7 that signs the
www.ca.gov A RRset is not in the DNSKEY RRset.
The key for algorithm 8 that signs the A RRset is in the DNSKEY RRset,
so my guess is that Unbound is favoring algorithm 7 as that is in the DS
set.
DS lists 7/59151
DNSKEY contains 7/59151 8/60459 validates
signed by 7/58151 8/60459 validates
SOA signed by 7/59151 8/60459 validates
NSEC signed by 7/22178 8/60459 SERVFAIL
A signed by 7/22178 8/60459 SERVFAIL
I think Unbound is right in rejecting the zone as algorithm 7 (the entry
point algorithm) chain is broken 22178 missing from DNSKEY set.
Other resolvers are on less stable ground saying that this setup is
validated but I will not call them wrong as they followed the Postel
principle.
In short a mistake by operator exposes difference in implementation
choices.
Olafur
> --Augie
>
>
> # drill -k /var/unbound/root.key -T ca.gov A
> ;; Number of trusted keys: 1
> ;; Domain: .
> [T] . 172800 IN DNSKEY 256 3 8 ;{id = 56158 (zsk), size = 1024b}
> . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
> . 172800 IN DNSKEY 256 3 8 ;{id = 51201 (zsk), size = 1024b}
> Checking if signing key is trusted:
> New key: . 172800 IN DNSKEY 256 3 8
> AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
> ;{id = 51201 (zsk), size = 1024b}
> Trusted key: . 172800 IN DNSKEY 257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ;{id = 19036 (ksk), size = 2048b}
> Trusted key: . 172800 IN DNSKEY 256 3 8
> AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
> ;{id = 56158 (zsk), size = 1024b}
> Trusted key: . 172800 IN DNSKEY 257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ;{id = 19036 (ksk), size = 2048b}
> Trusted key: . 172800 IN DNSKEY 256 3 8
> AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
> ;{id = 51201 (zsk), size = 1024b}
> Key is now trusted!
> [T] gov. 86400 IN DS 53138 7 1 35d81501cc594683875872282fe73054cfe619de
> gov. 86400 IN DS 53138 7 2
> 5aec256412bc1fec92b8fddb4493b585e9406541cf8c952bfe6e27acb3a20766
> ;; Domain: gov.
> [T] gov. 86400 IN DNSKEY 256 3 7 ;{id = 35464 (zsk), size = 2048b}
> gov. 86400 IN DNSKEY 256 3 7 ;{id = 23239 (zsk), size = 2048b}
> gov. 86400 IN DNSKEY 257 3 7 ;{id = 53138 (ksk), size = 2048b}
> Checking if signing key is trusted:
> New key: gov. 86400 IN DNSKEY 256 3 7
> AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
> ;{id = 35464 (zsk), size = 2048b}
> Trusted key: . 172800 IN DNSKEY 257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ;{id = 19036 (ksk), size = 2048b}
> Trusted key: . 172800 IN DNSKEY 256 3 8
> AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
> ;{id = 56158 (zsk), size = 1024b}
> Trusted key: . 172800 IN DNSKEY 257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ;{id = 19036 (ksk), size = 2048b}
> Trusted key: . 172800 IN DNSKEY 256 3 8
> AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
> ;{id = 51201 (zsk), size = 1024b}
> Trusted key: gov. 86400 IN DNSKEY 256 3 7
> AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
> ;{id = 35464 (zsk), size = 2048b}
> Key is now trusted!
> Trusted key: gov. 86400 IN DNSKEY 256 3 7
> BQEAAAABvSN63WSZXqKpkUlpHZjtvhZqgTTXwS+ayt8E/0AuuXvEuFOkUzUqyUahwSdhbds2aLWJK4Gg7Z0huM/hAnqgvMxpRgY9wyJ0oh5UuO3XpAChAEups6ufY7M/+16lHpkbjQgw45o3t/AOFrxhjAUOA4PR21P7JmkofhMFmnhLnrou9fK+704kr/5uq19xZ1nClCZd+Awtt7mgArePJ0k6HDbScXY9hjr6uwKwbx8Dji+nCajkxBHatAFLz8G0z0lCN3VSnMSrw7U+nNpLzUBcGB8oYAyHV2MoxQFPm8z+b8fZemT5kXftn/XdEbS4qrG48czluD56ESUSQ+z9p4AGLw==
> ;{id = 23239 (zsk), size = 2048b}
> Trusted key: gov. 86400 IN DNSKEY 257 3 7
> AQO7tpGcHVEdeAwk47cj6Tuc3dvAUktIQ1vMu8mGtGYQ8F6vSOgViE0tmzPtVFrV9E6kY1jLYCh+oKPWn7efpQVMkqc+2b9ECYk/81fA4Vb0BfyYKKhiW7T1uNX4rC03JZa2u8iOHwqq4BRVplksFXCGn47i2Sosa5KuqCNBqUA0oyPTEbxkyNo3Q6l8ZcscILqbvWZ0BJKaLCTtj08Nj35LTqd/XVoEObp48A21Pqyi6Kiblh9H6NoLtqhlvP5+8AujtINJ+sTUQZYgqt9iFQp2AH4HvyJdw8Vkr1QRhhshq6RgRidnOvTIWZKoe4QHQrvmOfW245zv+22Iuu5rYpcl
> ;{id = 53138 (ksk), size = 2048b}
> [T] ca.gov. 86400 IN DS 59151 7 1 b944a2ddc6320e245b9b897e8238b1b850b22344
> ca.gov. 86400 IN DS 59151 7 2
> c229cd687bedbbf4908b9bceee0239007abd77f9b66ae2d1e16b59e47ee19282
> ;; Domain: ca.gov.
> [T] ca.gov. 172800 IN DNSKEY 257 3 7 ;{id = 59151 (ksk), size = 2048b}
> ca.gov. 172800 IN DNSKEY 256 3 8 ;{id = 60459 (zsk), size = 1024b}
> [T] ca.gov. 86400 IN A 134.186.200.20
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
>
>
More information about the Unbound-users
mailing list