[Unbound-users] validation failure

A. Schulze sca at andreasschulze.de
Thu Jul 3 12:50:44 UTC 2014


shmick:

> Jul  3 15:37:51  unbound: [3740:0] info: validation failure
> <7.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.6.0.8.0.6.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa.
> PTR IN>: No DNSKEY record for key 0.4.2.ip6.arpa. while building chain
> of trust

Hm, cannot reproduce ...

$ dig  
7.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.6.0.8.0.6.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa. PTR  
+dnssec

; <<>> DiG 9... <<>>  
7.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.6.0.8.0.6.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa. PTR  
+dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7569
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;7.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.6.0.8.0.6.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa. IN  
PTR

;; ANSWER SECTION:
7.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.6.0.8.0.6.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa.  
86388 IN PTR syd01s19-in-x07.1e100.net.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jul  3 14:42:19 2014
;; MSG SIZE  rcvd: 140

Anyway: the zone 0.4.2.ip6.arpa. belongs to RIPE and do have DNSKEY data:

$ dig @ns3.apnic.net. 0.4.2.ip6.arpa. any +dnssec

; <<>> DiG 9... <<>> @ns3.apnic.net. 0.4.2.ip6.arpa. any +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8490
;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.4.2.ip6.arpa.                        IN      ANY

;; ANSWER SECTION:
0.4.2.ip6.arpa.         172800  IN      RRSIG   NSEC 5 5 172800  
20140802065912 20140703055912 17730 0.4.2.ip6.arpa.  
I1p7k9AK3ztVuxi7LhyhnQj1cc52rXygXXXzpm7V4O1oVAaRgx+4it/A  
X/CEni7Lvni6+1Ysut6dQfNGgqOLvo7JGBczo9GpAqqZyZlC5n8Np+Jx  
JgBPD8IfPlWqfQNttRPS4nL1eGEHklBQlGj0oDyCJXnurdPAIftKNEpI mM0=
0.4.2.ip6.arpa.         172800  IN      RRSIG   DNSKEY 5 5 172800  
20140802065912 20140703055912 17730 0.4.2.ip6.arpa.  
jdc/1Ny5HCFuCa7PpFSSc1miz7nHWrnD2saLnZ5tMv4tjq/4DOE4fiKZ  
UUeHs9HlBmXpiLiUppHHAcN5yLgPuJ6dgHWhdPLuk11tz01OpF75rd6Y  
dugfnh95MW4QDe5xrlPM8lnKdPXNZyIlkP08iQG6KhYl07AnrAqZgNds xSg=
0.4.2.ip6.arpa.         172800  IN      RRSIG   DNSKEY 5 5 172800  
20140802065912 20140703055912 63292 0.4.2.ip6.arpa.  
RaCNV9kwwEvsHk2STegNwIIoZO//nAzgwwYfimbukZhLG+M4FnTROm2j  
q9sAmkBxnPCcrn3Kv5vYotUhAEfZVODTjsdF9ztr/+g5/flhalUK63Wz  
NjL8KvW4bjuTQUbI1SRQ+xXifoKwe2blHjGrirdaNV+v6hClMDwUfR82  
Un3Cr0wh35t/qjytZtLTxu13KTNLh+Y8aCJWHzFam8sF0KQ09/kAXRhv  
yKhk8MgmOnG8YBy2HiVQqBUV6vPevbJGST7Aat1K3MUGPDjOWSi3NjeJ  
4QJpFSPSydPrnuhWt5RJ3p2MgufISUtFH5y3xMrEXz/cM9ZpoEDrFqYJ TPMrNQ==
0.4.2.ip6.arpa.         86400   IN      RRSIG   TXT 5 5 86400  
20140802065912 20140703055912 17730 0.4.2.ip6.arpa.  
WJxUSr1rYh7TK1IlUz7+mIbYeYnur+hGvujShQNZ49q4PviZT0q+Qb3o  
n5oEFWPvQVMdfr+bgl1bHU+RIqLoz2x1IjPHZkEh+vGn9Nj4BPbycc07  
bxoK2znuIttVb8vgquEhdHz1U52EsUnq4D/xbh5RI4B3QYc5QRXU56om ZPc=
0.4.2.ip6.arpa.         172800  IN      RRSIG   SOA 5 5 172800  
20140802065912 20140703055912 17730 0.4.2.ip6.arpa.  
Pkz5I44w0xOQ0RmYsSAOJCWJr/gS91nVogvwDUuIICsEdl/2x/j30HR4  
owA3u+EaJ1xy8lu0+DPM4VV7zsNFABu1V3/meQB6wzU8ZDjeusFKb/VF  
eLh9L0sYrRDUQ9ePBbtnaWzAJijkxgQ95lo4GDUMo0xLG+rMpSdBMRUS IVQ=
0.4.2.ip6.arpa.         86400   IN      RRSIG   NS 5 5 86400  
20140802065912 20140703055912 17730 0.4.2.ip6.arpa.  
e6Cu61H9Efjr5jxx6HDmKtbIyla1RtEDaGRB1pybSu0pliWb/N4aUoRx  
ORGDdgk4rLbKXXr6R4oZPKg0Tks8GevFrjBz3HEhVoX51TQv0VPlUYTO  
OH/JJaCvKI/VDUScwXEVjLIzO/J0NWUujArVkM24mTQx3UJIbdu6Bjog Qbk=
0.4.2.ip6.arpa.         172800  IN      NSEC     
6.0.0.8.0.0.0.1.0.0.4.2.ip6.arpa. NS SOA TXT RRSIG NSEC DNSKEY
0.4.2.ip6.arpa.         172800  IN      DNSKEY  256 3 5  
AwEAAZx2nykuBZgSfCAZ2JW53gW1FQ+N54ROEDvsFb3h5sUxGHIPIaX7  
aQu9oNjKqzJZxE2x2HNn+R7XLsRnz2CUpL1iej2Gveb41VYR8aIg0ehK  
Co8t1/sRn9cWzZEHmtyRL3MFMHi1urmxsEIusvNK7jhvbNta6+OLJpYu 4+5nO9Cl
0.4.2.ip6.arpa.         172800  IN      DNSKEY  257 3 5  
AwEAAXP4O1q8akmxghpAhkhpriaLA8AZbFE5+QVmspMmyBYW+xoIUwkk  
YiqPQSgFjKNrOeKfnCPdhQMDoDIwagUAE5BQS9rGC+aMk/UL37QiP0dl  
YAIqgSQh67RtGxWSxDlF5hTzXe9VQBd++HDlkAXkHa8g/AX3T7xIFjmc  
3HnSvpl74oygWu8PUJtyHsyL2WlUZbqHV+KGO1BbAoU2BttYuVSi1aeE  
cSQfwHYSn+fajaCR29J9CJcMGMAtOi5kWFM72aHxFRkfbbdPG6rSaV/Q  
dbjIimg1rsoym68+gnrkn7ZiFnlGqSushCEgvLZRRBSn2wM+0y3Rrk7d Pi1F2/jQUXM=
0.4.2.ip6.arpa.         172800  IN      DNSKEY  256 3 5  
AwEAAY/cQBrzJm/tWqQBBnDt/8xtEaekCtGHuNXwbPzwMjTWtCI9E3Hc  
pCNxN6U9/PrV4Ru11cGE5SvXigz+wLh1pscuW30aVh8RxS2Ee5/drFNU  
uGvQgHmEcbvSQWuBq08JaaRNhVL4pGa6tsTfnPBjv3oNRDwDY8D3P2+P esPleR1T
0.4.2.ip6.arpa.         172800  IN      DNSKEY  257 3 5  
AwEAAX701vB4eE0ESpb5mpZMLGsny0ksIwxo+hfRESbwYQQ0Sj5iex3F  
N3dZpaNDNioV25YHsjqHCHZJ+IwPmn7hb4eH9cjjeZRMHVEN5VVGUSIc  
7tSni5jSfp+QyGbCxVz7DpM5mYkHrbXKuY+k00hPaTJafkeTgGJZ2G3H  
JZxoNy0CHH8e2S7a5aCkA6nQeyz50YtqLjF+mEhchHXQhviv6doRmrl4  
6LrT20sp3iLy2uamfPW4JxVFp8lx6EjosC8gd76kuzj1xIQI4aT1oPpf  
C4XQxdvJidfWuH+aOYuwLMuJkPO8eMRm8C78VVaZPljp7wuhwAmAQYuE S1uWakejDmk=
0.4.2.ip6.arpa.         86400   IN      TXT     "zone updated 20140703"
0.4.2.ip6.arpa.         86400   IN      NS      tinnie.arin.net.
0.4.2.ip6.arpa.         86400   IN      NS      ns4.apnic.net.
0.4.2.ip6.arpa.         86400   IN      NS      ns3.apnic.net.
0.4.2.ip6.arpa.         86400   IN      NS      apnic1.dnsnode.net.
0.4.2.ip6.arpa.         86400   IN      NS      sec1.authdns.ripe.net.
0.4.2.ip6.arpa.         86400   IN      NS      ns1.apnic.net.
0.4.2.ip6.arpa.         86400   IN      NS      ns2.lacnic.net.
0.4.2.ip6.arpa.         172800  IN      SOA     ns1.apnic.net.  
read-txt-record-of-zone-first-dns-admin.apnic.net. 3007063981 7200  
1800 604800 172800

;; Query time: 271 msec
;; SERVER: 2001:dc0:1:0:4777::131#53(2001:dc0:1:0:4777::131)
;; WHEN: Thu Jul  3 14:43:23 2014
;; MSG SIZE  rcvd: 2403

http://dnscheck.iis.se/?time=1404391548&id=4120772&view=advanced&test=standard
looks also not dramaticly

Did you just tried to restart unbound ?

Andreas




More information about the Unbound-users mailing list