[Unbound-users] bogus resolution with forwarding and DLV
Paul Wouters
paul at nohats.ca
Wed Feb 4 03:27:34 UTC 2015
On Wed, 4 Feb 2015, Jan Včelák wrote:
> info: validation failure <jvcelak.fedorapeople.org. A IN>: no signatures
> for <fedorapeople.org. NS IN> from x.x.x.x
> After inspecting responses from BIND and Unbound, I belive this is
> caused by BIND adding a NS RRs without a RRSIG added into the authority
> section of the answer.
> BIND:
>
> % kdig +dnssec @x.x.x.x jvcelak.fedorapeople.org A
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59967
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 6; ADDITIONAL: 7
>
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
>
> ;; QUESTION SECTION:
> ;; jvcelak.fedorapeople.org. IN A
>
> ;; ANSWER SECTION:
> jvcelak.fedorapeople.org. 3600 IN A 152.19.134.191
> jvcelak.fedorapeople.org. 3600 IN RRSIG A 5 2 3600 ...
>
> ;; AUTHORITY SECTION:
> *.fedorapeople.org. 3600 IN NSEC fedorapeople.org. ...
> *.fedorapeople.org. 3600 IN RRSIG NSEC 5 2 86400 ...
> fedorapeople.org. 33297 IN NS ns02.fedoraproject.org.
> ...
>
> ;; ADDITIONAL SECTION:
> ns02.fedoraproject.org. 48697 IN A 152.19.134.139
> ns02.fedoraproject.org. 48697 IN AAAA ...
> ...
I would expect unbound to just clean/ignore any additional data that comes
without RRSIG. If not, that would be a bug.
note that my old bind97 I have running on an old nameserver also returns
data without the AD bit set. But I think 9.7 is known to have some
issues with wildcards and CNAMEs.
Paul
More information about the Unbound-users
mailing list