message is bogus, non secure rrset with Unbound as local caching resolver
Havard Eidnes
he at uninett.no
Wed Mar 2 19:20:50 UTC 2016
>> Unfortunately, the BIND server only tends to return responses where
>> the authority-section has NS-records but no RRSIG-record
>> during the night. I suspect it has something to do with
>> traffic levels and what other systems are accessing it. It
>> makes it all a bit hard to troubleshoot. The main source of
>> information for troubleshooting has been a combination of
>> PCAP-files and log files.
>
> Are you sure this is not the bind wildcard bug? Can you try to resolve
> something like pwouters.fedorahosted.org. That's an expanded wildcard.
A couple of responses to an 'a' query for this name follows
attached below. In both cases you'll see the Authority section
contains the NS RRSET but not the RRSIG covering the NS RRSET,
something we're not quite sure is "right" (but have not yet found
the scripture on), and which Olav suspects is triggering Unbound
to be unhappy about the response.
> If so, this is the same bug as:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=824219
You mean the ISC RT#21409 which is mentioned in there, or
something else? The recursor Olav's machine is forwarding to
(oliven.uninett.no) is running BIND 9.9.8-P2, and according to
its CHANGES file, that bug was squashed in the run-up to 9.9.3b2:
3444. [bug] The NOQNAME proof was not being returned from cached
insecure responses. [RT #21409]
Or is "the bind wildcard bug" something else? If so please
provide more information.
Best regards,
- Håvard
-------------- next part --------------
: {12} ; dig pwouters.fedorahosted.org. a +dnssec
; <<>> DiG 9.10.2-P4 <<>> pwouters.fedorahosted.org. a +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pwouters.fedorahosted.org. IN A
;; ANSWER SECTION:
pwouters.fedorahosted.org. 60 IN CNAME hosted03.fedoraproject.org.
pwouters.fedorahosted.org. 60 IN RRSIG CNAME 5 2 60 20160331192054 20160301192054 39900 fedorahosted.org. P91FaEGxGv2Yrsdo5eDfhkpJD2zqkkoVkJr6dz9XYl0Y2TBG2FQ1OArv wUwu/bbi63LDVXsJqmg+AarvQ/xkB6f0C9Ro5/cnQFgQ0zjhi1/n/R7I vdXXYMU3xslNTe5s7U2YfCquHtKti8q6bM/ltxgtD03QJz8OxAIbpiyj 4VQ=
hosted03.fedoraproject.org. 267 IN A 140.211.169.199
hosted03.fedoraproject.org. 267 IN RRSIG A 5 3 300 20160331192053 20160301192053 7725 fedoraproject.org. n/lc4F2WKfEnq9kTqjWuBH1YbCjSiFPT1NQuDF9x30BHliC8D6M+EZKC Lcx2JVdzi+Gb/DREkp/facfVGsslfGjKfkhl4AL0kDD638I7qhnR8TJp D9e+B26xRwORMEDTALc/8KkfPNiBF1rztu2dvVSXR/LsIZd/y/3hyudO Fwk=
;; AUTHORITY SECTION:
mtn.fedorahosted.org. 60 IN NSEC sssd.fedorahosted.org. A SSHFP RRSIG NSEC
mtn.fedorahosted.org. 60 IN RRSIG NSEC 5 3 86400 20160331192054 20160301192054 39900 fedorahosted.org. p8tlcTZI3cDVAqlk2pbpGHUmDm/tZJyE2PSQNRJsOGXKnVWdZOs9Xovf bvJbsnVpeun9S4BosZ6UytlnX7XPn+jVu4KYZ2DK8tdAhyNOJOyVjTnh QJtGgPRWnraHA/hKWYsTpkK3meW2/kZdHsSsJodYeQ4WOhsa681htoYp 3vY=
fedoraproject.org. 86367 IN NS ns02.fedoraproject.org.
fedoraproject.org. 86367 IN NS ns05.fedoraproject.org.
fedoraproject.org. 86367 IN NS ns04.fedoraproject.org.
;; ADDITIONAL SECTION:
ns02.fedoraproject.org. 86314 IN A 152.19.134.139
ns02.fedoraproject.org. 86314 IN AAAA 2610:28:3090:3001:dead:beef:cafe:fed5
ns05.fedoraproject.org. 86314 IN A 85.236.55.10
ns05.fedoraproject.org. 86314 IN AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
ns04.fedoraproject.org. 86314 IN A 209.132.181.17
;; Query time: 322 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 02 20:06:31 CET 2016
;; MSG SIZE rcvd: 844
: {13} ; rndc status
version: 9.10.2-P4 <id:2754d37>
...
: {14} ; dig @oliven.uninett.no. pwouters.fedorahosted.org. a +dnssec
; <<>> DiG 9.10.2-P4 <<>> @oliven.uninett.no. pwouters.fedorahosted.org. a +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35941
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pwouters.fedorahosted.org. IN A
;; ANSWER SECTION:
pwouters.fedorahosted.org. 60 IN CNAME hosted03.fedoraproject.org.
pwouters.fedorahosted.org. 60 IN RRSIG CNAME 5 2 60 20160331192054 20160301192054 39900 fedorahosted.org. P91FaEGxGv2Yrsdo5eDfhkpJD2zqkkoVkJr6dz9XYl0Y2TBG2FQ1OArv wUwu/bbi63LDVXsJqmg+AarvQ/xkB6f0C9Ro5/cnQFgQ0zjhi1/n/R7I vdXXYMU3xslNTe5s7U2YfCquHtKti8q6bM/ltxgtD03QJz8OxAIbpiyj 4VQ=
hosted03.fedoraproject.org. 300 IN A 140.211.169.199
hosted03.fedoraproject.org. 300 IN RRSIG A 5 3 300 20160331192053 20160301192053 7725 fedoraproject.org. n/lc4F2WKfEnq9kTqjWuBH1YbCjSiFPT1NQuDF9x30BHliC8D6M+EZKC Lcx2JVdzi+Gb/DREkp/facfVGsslfGjKfkhl4AL0kDD638I7qhnR8TJp D9e+B26xRwORMEDTALc/8KkfPNiBF1rztu2dvVSXR/LsIZd/y/3hyudO Fwk=
;; AUTHORITY SECTION:
mtn.fedorahosted.org. 60 IN NSEC sssd.fedorahosted.org. A SSHFP RRSIG NSEC
mtn.fedorahosted.org. 60 IN RRSIG NSEC 5 3 86400 20160331192054 20160301192054 39900 fedorahosted.org. p8tlcTZI3cDVAqlk2pbpGHUmDm/tZJyE2PSQNRJsOGXKnVWdZOs9Xovf bvJbsnVpeun9S4BosZ6UytlnX7XPn+jVu4KYZ2DK8tdAhyNOJOyVjTnh QJtGgPRWnraHA/hKWYsTpkK3meW2/kZdHsSsJodYeQ4WOhsa681htoYp 3vY=
fedoraproject.org. 75130 IN NS ns05.fedoraproject.org.
fedoraproject.org. 75130 IN NS ns02.fedoraproject.org.
fedoraproject.org. 75130 IN NS ns04.fedoraproject.org.
;; ADDITIONAL SECTION:
ns02.fedoraproject.org. 73152 IN A 152.19.134.139
ns02.fedoraproject.org. 73152 IN AAAA 2610:28:3090:3001:dead:beef:cafe:fed5
ns04.fedoraproject.org. 73152 IN A 209.132.181.17
ns05.fedoraproject.org. 73152 IN A 85.236.55.10
ns05.fedoraproject.org. 73152 IN AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
;; Query time: 238 msec
;; SERVER: 2001:700:0:503::ca53#53(2001:700:0:503::ca53)
;; WHEN: Wed Mar 02 20:11:36 CET 2016
;; MSG SIZE rcvd: 844
: {15} ;
oliven: {9} rndc status
version: BIND 9.9.8-P2 (Extended Support Version) <id:8f4dc43>
...
More information about the Unbound-users
mailing list