[Unbound-users] Possible unbound bug with wild card results
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Thu Mar 21 09:20:45 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Erinn,
On 03/20/2013 09:55 PM, Erinn Looney-Triggs wrote:
> There is a bugzilla open about a similar
> issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from
> my reading it looks like it went off in another direction.
>
> The issue I am running into comes in when resolving
> fedorapeople.org domains which are DLV signed. Specifically
> fkooman.fedorapeople.org but any other *.fedorapeople.org domains
> seem to fail, and only with unbound in my testing thus far.
> Straight bind will return the result.
>
> When attempting to resolve I get this in the logs:
>
> unbound: [1005:1] info: validation failure
> fkooman.fedorapeople.org. A IN
Can you tell me why it failed? Set val-log-level: 2
or run unbound-host to do the lookup.
When I perform this lookup, it works fine, and uses the isc.org DLV.
This is with latest unbound version.
Best regards,
Wouter
> Running directly against bind we get the result as expected: dig
> fkooman.fedorapeople.org +dnssec
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>>
> fkooman.fedorapeople.org +dnssec ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;;
> QUESTION SECTION: ;fkooman.fedorapeople.org. IN A
>
> ;; ANSWER SECTION: fkooman.fedorapeople.org. 56 IN A
> 152.19.134.191 fkooman.fedorapeople.org. 56 IN RRSIG A 5
> 2 60 20130418182632 20130319182632 378 fedorapeople.org.
> 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
> k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
> +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=
>
> ;; AUTHORITY SECTION: *.fedorapeople.org. 56 IN NSEC
> fedorapeople.org. A AAAA RRSIG NSEC *.fedorapeople.org. 56
> IN RRSIG NSEC 5 2 86400 20130418182632 20130319182632 378
> fedorapeople.org.
> 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
> 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
> MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=
>
>
> You can get a nice break down of the signing here:
> http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/
>
> My guess is that it has to do with the *.fedorapeople.org record,
> but I am no expert, or perhaps DLV plays into it? There aren't a
> great deal of sites that I know of to compare this to.
>
> Can anyone else confirm or deny this issue with their unbound?
>
> Thanks, -Erinn
>
>
>
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRStDtAAoJEJ9vHC1+BF+Nnn4QALA7YjZj8wbrjRUbGRhEUg01
ynuNKbKVuK13aLMUQ1mW3TA6aAbEMP0+utPma6ngdrnACAXfSMQUQrv0ABjx8hU2
w+azaGWWWICDLDKMhESFE/tQwYFdCOsdo/VnCFI9Vk9eTEV7i+iRpxUKppO9IDnq
TBd2a2T0wFtGxUQUgVhU3L6t6ZffemytUv9zOZVklkWVccNaoLwcXIzWQRfvSB5G
JzAa+Jh2Dpt3j9L1Om3eRAM3BmnAjZJpb/VfXuSUnMK+V7WpNq0qm/5So8kyIA5b
//54n6FxNKpn/LAnObruFIwuqIXdyPJcEsPCpKu9CoS+QUd7AcV845UL0Mq4cYhn
PBzCLODUtpqiId2gPEI9DNWTDy6qCsAkL+ZqSUfes7SgRdloOnLg7IHo/JDR/QDp
rkSNOFB2/CpkJE29CxJrmBci/OhIqIuAa0afL4eSGcRDymQM2pyedk+G4kdcRMRg
8aj8hMkxS4GaSI/4KYuXz2AjiapTdYmyYMwND9XQBUZVpbdgh0MEnebtHDpqt5Sf
eU+m0/XaTJNUhIQC8pWWV4cjp9SUsRaqXQgF2gZES9sXOUYgT12zT3kueC0ku01m
IHGQdwM5LRkQV8gNtjwh0ltuBapsg1Y5PcYuTBvJpdOGHOpgHgatszgnCWidvHFk
oIgXQx5+aMvMvUjSxhVe
=EHHU
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list