wildcard dnssec test fails

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Dec 15 00:26:11 UTC 2017

On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote:

> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill
> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this
> (http://0skar.cz/dns/en) test site where it reports three failures (2a,
> 2b and 4). Any help would be appreciated.

The zone's signatures are weird:

    $ unbound-host -f /usr/local/etc/unbound/root.key -v www.wilda.nsec.0skar.cz
    validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain of trust

    $ dig +noall +ans +nocl +nottl +nosplit +cd +dnssec -t a www.wilda.nsec.0skar.cz
    www.wilda.nsec.0skar.cz. CNAME  flexi.oskarcz.net.
    www.wilda.nsec.0skar.cz. RRSIG  CNAME 10 5 300 20800101000000 20140130121330 28887 nsec.0skar.cz. ...
    flexi.oskarcz.net.      A
    flexi.oskarcz.net.      RRSIG   A 10 3 3600 20180108024403 20171209024403 31880 oskarcz.net. ...

Note the RRSIG dates for the CNAME:

    Inception:  20140130121330
    Expiration: 20800101000000

Perhaps unbound is comparing these as 32-bit timestamps.  Just
under 66 years is an impressive validity range, if intentional.


More information about the Unbound-users mailing list