[Unbound-users] DLV anchor and unsigned domains

[Alan Jurcic]

On 27.03.14 at 15:14, W.C.A. Wijngaards wrote:
> 
> If your DLV provider does not answer, the security status of every
> domain not in cache cannot be determined.  It must therefore be
> withheld from the poor user.  Did you configure a non-working dlv domain?
> 

Hi Wouter,

DLV validation is working for the domain with the DLV record in my DLV zone, but 
everything unsigned is automatically bogus. I have the same DLV configured in bind 
resolver and it works fine there: root anchor is checked first, then DLV and if 
neither contains DS/DLV for the domain then the domain is unsigned and answer is 
returned to the client.


Querying signed domain with DLV anchor:

$ dig sec.tst.hr @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2537
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

$ dig sec.tst.hr @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38124
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1


Querying signed domain with root anchor:

$ dig nlnetlabs.nl @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43298
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

$ dig nlnetlabs.nl @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30066
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4


The issue comes up when I query unsigned domain:

$ dig carnet.hr @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26035
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

$ dig carnet.hr @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36322
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


Hope that helps :)

Alan