[Unbound-users] [DNSSEC] BIND validates but not Unbound: who is right?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Feb 16 16:34:53 UTC 2015
[The domain has recently changed its configuration so do not test it.]
With Unbound, I get a SERVFAIL:
% dig DNSKEY cepn.asso.fr
; <<>> DiG 9.9.5-8-Debian <<>> DNSKEY cepn.asso.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62442
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr. IN DNSKEY
;; Query time: 21 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Feb 16 16:57:58 CET 2015
;; MSG SIZE rcvd: 41
But BIND accepts it (and so does Google Public DNS):
% dig @relay1.nic.fr DNSKEY cepn.asso.fr
; <<>> DiG 9.9.5-8-Debian <<>> @relay1.nic.fr DNSKEY cepn.asso.fr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30861
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr. IN DNSKEY
;; ANSWER SECTION:
cepn.asso.fr. 7808 IN DNSKEY 257 3 5 (
AwEAAaBtXBNAyFHVvRBB4K9z79+1YRXkUDyycyCzPRpm
Xi9lhB0Eg5vM3XlaS6OuN0dnFHItpZFNIDBDrPsN1OCf
1ULKWpD3KDl1mE7zRK2W0HXeu4WOoFpUcC/1h06W26DT
CkisntU9L8JfPi9osmI+CuzWZhdmyZt+hPvMpjmDthyh
MZpb//kNv7+TUeczCo4MExHxjHHIVH0vRmhfyo/J1KBe
6eS3G5lDbJEEFUdxuLyGQLaG2f6wlQxoHGnzvM+V/Mj8
yGHae//7Z5rMCdaiLJy03u5+l2WVVy954dsrFC6mkB5s
M4n8nvbo1d5ap7cI76dJi9X0IUJQohZk5b5eef0=
) ; KSK; alg = RSASHA1; key id = 36778
cepn.asso.fr. 7808 IN DNSKEY 256 3 5 (
AwEAAc6AqnBoi+hfxMqtb0eokyqWT46Os5N6ZYoFm8Gb
t90EF3hTpuwDClEsulKSckhr4zFTDj3SvHc9krzeQEl5
UNCqmmZeMo/wsxKHTzIVU75fPrs1zOuM9m9zRNV4q9eG
Y0+I2h4D7E/WlPE7n57E0lmPOxK9g46xE8p9eX3bWVVK
FSm60VvginZfTzN3Zgt+peecrboEZnSzWvDVcHY2dq+o
w0UEekI1+nfwcIgEOn0Wh8B5Gx3pG5XkV3QvHVN514FH
eJLdsk0iFPHv1Xc0rLYWssFVS9s7Z8u0tEju6LshGaPQ
+zrQr54RMD9IecwbMCERcrjV2Dm5CZq+Jf53pGc=
) ; ZSK; alg = RSASHA1; key id = 54030
cepn.asso.fr. 7808 IN RRSIG DNSKEY 5 3 10800 (
20250115124200 20150216080551 36778 cepn.asso.fr.
fc1YnbjbglVC8alL9NN9LUo54kUODgk6gblFt+CjDJ4+
0i9HqEdbbW/49wksEMkFySPf24yRaswbf9W/OHeJtXid
6CEcVdZiHfPuTzxBelQVfPiIQreJ9yvxBF1z/pmTBf0X
o8TEMUjaV4f2c5eqELKdZ986RRk6J35tDd0w3cbeHGV1
mnAagjT+SOLlmF8mx6MZkgsgFylBIt0MfEaX1ZS4PfAh
TCIXi6shM0KcwZ7rI24nVGcu6wDfxdiwUZ5lJ6KWFBsM
pC0beLiKRYlqnQidkech+dlSHQGj0DXAINi6ZrS+iRhv
mCLlId4oezMaxx8P3dLo71cAqPGNBwM62A== )
cepn.asso.fr. 7808 IN RRSIG DNSKEY 5 3 10800 (
20250115124200 20150216080551 54030 cepn.asso.fr.
v1b7K0jZ4WH1yMCvJHOkxWp7EUHtsFPpKjwplu8EhqDs
WAwB0ORSFMN6Y0PDMfSydXeSwn3+L75OKk1Ne6VNaE5E
jeYi7BEChE0wZH1L6/qyIHgw0YCDfQN4HuG005RFRKgi
p1t06h3iKnVHFzduSxSby5Oq3iZgbyaSPeAhDa/LZPXv
oNb1cVmVrPKTIhZqSxKNC0t4XQ3iUffgrLvq1ErFeuut
QQeD3uzwWXCUkZA5rK7fp9eKKlSOJpP3na2r8cEy0WlC
jZ2HNPA6pIUnq+w7eD0oGp0aukJ1C85TeE1a8cr3Luf8
LnSXm7cIxSWOdw9GZEjaavWFfpYdguFxQQ== )
;; Query time: 1 msec
;; SERVER: 2001:67c:2218:9::4:162#53(2001:67c:2218:9::4:162)
;; WHEN: Mon Feb 16 17:01:03 CET 2015
;; MSG SIZE rcvd: 1193
I also tested with OARC's ODVR service which confirmed that there is a
difference between BIND and Unbound.
At the time of the test, the DS were:
% dig DS cepn.asso.fr
; <<>> DiG 9.9.5-8-Debian <<>> DS cepn.asso.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6975
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cepn.asso.fr. IN DS
;; ANSWER SECTION:
cepn.asso.fr. 171998 IN DS 36778 5 2 (
D21FC827CF4621DF88D06A8F6EA5F4B4DE72A362AB2E
03D440C315A9D8FE1407 )
cepn.asso.fr. 171998 IN DS 13585 8 2 (
AB057D7A9BBDB721EBD33FC64F3C6CC53D9020D12F18
BCEFC696494C9F9D6111 )
cepn.asso.fr. 171998 IN RRSIG DS 8 3 172800 (
20150321132707 20150120132707 36264 fr.
sotb2QNe0eJ6v6AxNaRgOzwYZVpg4XwDvRNp2S01kW/B
ImMpX5oYo2EpIkmbcO+1y+yNjk0tqyiEo1OJbxzpyV1X
xrUDQXjV1qbLgxZD3xLe9UG/VsMpImZJaiXjyd5xCT31
sPmNdh8d/T5FzWTb6jGWUY1GC4WHp8Ib4I9GWgI= )
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Feb 16 16:58:19 CET 2015
;; MSG SIZE rcvd: 299
DNSviz, like Unbound, says the domain is broken:
http://dnsviz.net/d/cepn.asso.fr/VOGwhA/dnssec/
But Zonemaster sees no problem:
http://zonemaster.net/test/3713
More information about the Unbound-users
mailing list