[Unbound-users] Strange validation failures for some wildcard CNAMEs
Casey Deccio
casey at deccio.net
Wed Sep 17 16:27:06 UTC 2014
On Wed, Sep 17, 2014 at 10:05 AM, Ondřej Caletka <ondrej at caletka.cz> wrote:
> I'm having an issue with validating particular domain names:
>
> $ dig _25._tcp.mail.relia-pc.cz tlsa
> $ dig _443._tcp.kinderporno.cz tlsa
> - validates with BIND, fails with Unbound 1.4.21
> - unbound-host says that cname proof failed
>
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.
>
>
I don't immediately see anything wrong with the complete names above. But
I can see that BIND and unbound both are failing validation for _
tcp.kinderporno.cz. I am wondering if this is perhaps due to incorrect
handling of NSEC records associated with wildcards.
$ dig +dnssec +noall +authority @ns.forpsi.it _tcp.kinderporno.cz | grep
NSEC | head -1
default._domainkey.kinderporno.cz. 3600 IN NSEC _jabber._
tcp.kinderporno.cz. TXT RRSIG NSEC
The NSEC record returned doesn't prove that the name doesn't exist
(NXDOMAIN) because the name (_tcp.kinderporno.cz) is in fact an ancestor of
the next field of the NSEC record (_jabber._tcp.kinderporno.cz), as an
empty non-terminal. But that proof is not required for wildcard, only for
NXDOMAIN status.
But that doesn't explain why unbound would be failing validation on _443._
tcp.kinderporno.cz, unless it is performing validation of _
tcp.kinderporno.cz along the way.
Just a guess.
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140917/c35fd4fd/attachment.htm>
More information about the Unbound-users
mailing list