message is bogus, non secure rrset with Unbound as local caching resolver
Olav Morken
olav.morken at uninett.no
Thu Mar 3 07:58:02 UTC 2016
On Wed, Mar 02, 2016 at 16:58:38 +0000, Tony Finch wrote:
> Olav Morken via Unbound-users <unbound-users at unbound.net> wrote:
> >
> > info: validate(cname): sec_status_secure
> > info: validate(positive): sec_status_secure
> > info: message is bogus, non secure rrset uninett.no. NS IN
> >
> > As far as I can tell, the problem here is caused by extra NS-records in
> > the authority-section that do not include the RRSIG element for the
> > NS-records, but I can't really say that for certain.
>
> This sounds a lot like a problem we discussed last year. See
> https://unbound.net/pipermail/unbound-users/2015-February/003757.html
It look similar, in that it is caused by extra records, but as far as I
know there shouldn't be any DLV involved here. The uninett.no-zone is
properly delegated from the parent zone.
I also tested with the most recent version from subversion trunk, which
includes the fix mentioned in that thread, but got the same result.
> Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> partially bogus answers and should handle them gracefully.
I checked, and it does set the CD-flag. The full dig command line to
simulate the queries that Unbound sends appear to be:
dig -4 +qr +noadflag +recurse +cdflag +bufsize=4096 +dnssec pingapi.paas.uninett.no @dns-resolver1.uninett.no
I.e. the packets have the RD, CD and DO flags set.
I grabbed the output from dig yesterday evening. If anyone is curious, I
uploaded it here:
https://gist.github.com/olavmrk/c62f099736dbc5ef514a
Best regards,
Olav Morken
UNINETT
More information about the Unbound-users
mailing list