wildcard dnssec test fails
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Dec 15 00:26:11 UTC 2017
On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote:
> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill
> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this
> (http://0skar.cz/dns/en) test site where it reports three failures (2a,
> 2b and 4). Any help would be appreciated.
The zone's signatures are weird:
$ unbound-host -f /usr/local/etc/unbound/root.key -v www.wilda.nsec.0skar.cz
...
validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain of trust
...
$ dig +noall +ans +nocl +nottl +nosplit +cd +dnssec -t a www.wilda.nsec.0skar.cz
www.wilda.nsec.0skar.cz. CNAME flexi.oskarcz.net.
www.wilda.nsec.0skar.cz. RRSIG CNAME 10 5 300 20800101000000 20140130121330 28887 nsec.0skar.cz. ...
flexi.oskarcz.net. A 85.239.227.179
flexi.oskarcz.net. RRSIG A 10 3 3600 20180108024403 20171209024403 31880 oskarcz.net. ...
Note the RRSIG dates for the CNAME:
Inception: 20140130121330
Expiration: 20800101000000
Perhaps unbound is comparing these as 32-bit timestamps. Just
under 66 years is an impressive validity range, if intentional.
--
Viktor.
More information about the Unbound-users
mailing list