[Unbound-users] Persistent validation failure on several sites

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Dec 2 08:34:48 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Wenci,

I receive answers for them.  Your dig contacted unbound itself.  You
should set dig +cdflag so you can see the dnssec invalid answers that
unbound has, or set dig to probe the other servers.

sirius-soft.at seems to have retracted its DS record and is now
insecure - I guess something was wrong for them.

rellim.com has faulty algorithm rollover - they publish DS records
algorithms 5 and 7, and have DNSKEYs 7 and 8.  There are no keys of
type 5... This breaks resolution for unbound.  Other software has a
more lenient view on algorithm rollover and keys.  And it goes back to
a debate about whether one key is enough or if you want to check all
available algorithms; it advertises algorithm 5 and thus it must
provide a chain of trust for algorithm 5.

Best regards,
   Wouter


On 11/29/2013 06:24 PM, Wendi Chen wrote:
> HI All,
> 
> We consistently receive the following unbound logs:
> 
> 131127 17:48:33 unbound: [5694:0] info: validation failure
> d.t10000.u6860931751.s1385574322.i1009.v6022.503b8.z.dotnxdomain.net.
> A IN 131127 17:51:28 unbound: [5694:0] info: validation failure
> ns2.sirius-soft.at. A IN 131127 17:51:28 unbound: [5694:0] info:
> validation failure ns1.sirius-soft.at. A IN 131127 17:51:28
> unbound: [5694:0] info: validation failure ns3.sirius-soft.at. A
> IN 131127 17:51:45 unbound: [5694:1] info: validation failure
> ns2.sirius-soft.at. A IN 131127 17:52:02 unbound: [5694:1] info:
> validation failure ns3.sirius-soft.at. A IN 131127 17:52:35
> unbound: [689:0] info: validation failure rellim.com. A IN 131127
> 17:52:36 unbound: [21479:0] info: validation failure rellim.com. A
> IN 131127 17:52:46 unbound: [5694:0] info: validation failure
> rellim.com. A IN 131127 17:52:46 unbound: [5694:0] info: validation
> failure rellim.com. NS IN 131127 17:52:46 unbound: [5694:0] info:
> validation failure ns1.rellim.com. A IN 131127 17:52:46 unbound:
> [689:1] info: validation failure rellim.com. A IN 131127 17:52:48
> unbound: [21479:1] info: validation failure rellim.com. A IN 131127
> 17:52:48 unbound: [21479:1] info: validation failure rellim.com. NS
> IN 131127 17:52:48 unbound: [21479:1] info: validation failure
> ns2.rellim.com. AAAA IN 131127 17:52:48 unbound: [21479:1] info:
> validation failure ns1.rellim.com. A IN
> 
> Is it a bug in unbound or a problem with the DNS configuration of
> those sites?
> 
> I ran dig commands on those sites and found all of them returned no
> answers.
> 
> For example, wendi: dig rellim.com
> 
> 
> ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>>
> rellim.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: SERVFAIL, id: 52216 ;; flags: qr rd ra;
> QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;rellim.com.                    IN      A
> 
> ;; Query time: 840 msec ;; SERVER: 192.168.58.1#53(192.168.58.1) ;;
> WHEN: Fri Nov 29 12:20:38 EST 2013 ;; MSG SIZE  rcvd: 39
> 
> Thank you if you can give me some advices.
> 
> Best, Wendi
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSnEYoAAoJEJ9vHC1+BF+Ne2MQAKVrfbB44CwktLm+tXmWbgqA
Jtius/U/um39b5D+UPCtQANGOaepfRvEdRVMU+0jI4qNq+g3/zeRDoR3WOEQr6vt
DjFCR13g0GokaiCI9EVyGwUq5fHetgc92n2Ke+IYd5AcsRbWzMJlrkZSWtL+KBCv
s+7M49jmxkQQsTa+9vOrLlfFu1IUNYpf2qlL+I89Qn1TjTJOz9ZfsN66J3ieyqv1
HJRKa/aXe4VTZOIUHkQjiPfBb/3iyJo8BxN8GeLOFcLKyrVVzZfS5uzNt47TWgqQ
QWAq4YHhLdb2rVAKRqFQDCHlnC8JVgWNYfYAGuFazWtL2BOWItk3IjXlLmhEONr2
lVtyTfiDaT3x0MIgp1NDCWW/FO8py6XtgS46qM/cWPQ1MyXD+EM/bHNtxRzVF6O0
7uJg16fDuxyF4t0wgcGAtxvBpwqw3N/UJENWztw1yv3iCFCb/wSgU012jJV75D9J
kpGv+Dm8HVQfWsugqYwZ2yeMH9ICc59ILWxuTVQfBUOMd1VySIczZCgb90GFHQKH
CDGfAYRF9JFZT2QUzT4M1ubC9iPFCG3x/Q8a1bNyxQCwm3E/f9CTY67bA7/KosgA
hx1L0Vi5wBa1p5OyycXVeb2iYw8smcY05NOpEpVlOGSYSFUCXOYOAYgkQ/zz4/y4
kbdp6h4Wq0Z7p2wZxSWS
=uMZt
-----END PGP SIGNATURE-----

More information about the Unbound-users mailing list