unbound 1.7.3 - Verified that unsigned response is INSECURE

Jochen Becker jochen.becker3 at freenet.de
Tue Oct 30 09:19:49 UTC 2018 

Hi unbound users

I am new to dns, new to unbound and new to the list, so please bear with me.


My setup:

dedicated machine to run as a caching resolver in my LAN

ubuntu server 18.10

unbound 1.7.3


This is my unbound.conf

server:
#   chroot: "/etc/unbound"
   username: "unbound"
   directory: "/etc/unbound"
   port: 53
   do-ip4: yes
   do-ip6: no
   do-tcp: yes
   do-udp: no
#   do-udp: yes
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

   interface: 0.0.0.0
   interface-automatic: yes
   access-control: x.y.z.0/24 allow  # some private class c net

   root-hints: "root.hints"
   prefetch: yes
   prefetch-key: yes
   use-caps-for-id: yes
   statistics-interval: 600
   statistics-cumulative: yes
   hide-identity: yes
   hide-version: yes
   verbosity: 2

   minimal-responses: yes
   rrset-roundrobin: yes
   ssl-upstream: yes


forward-zone:
   name: "."
   forward-tls-upstream: yes

   forward-addr: 146.185.167.43 at 853#dot.securedns.eu
   forward-addr: 185.49.141.37 at 853#getdnsapi.net
   forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk


According to my configuration I would have expected to have both, DNSSEC
and TLS-encryption switched on. The following dig proves this:

$ sudo dig de. SOA

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> de. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19839
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;de.                IN    SOA

;; ANSWER SECTION:
de.            7174    IN    SOA    f.nic.de. its.denic.de. 2018103033
7200 7200 3600000 7200

;; Query time: 356 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Okt 30 08:32:15 UTC 2018
;; MSG SIZE  rcvd: 83


unbound logs look like that:

Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de. SOA IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de.
SOA IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DS de.
DS IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: resolving de.
DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: response for de.
DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: reply from <.>
185.49.141.37#853
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validated DNSKEY
de. DNSKEY IN
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info:
validate(positive): sec_status_secure
Okt 30 08:32:15 dnsserver1 unbound[718]: [718:0] info: validation
success de. SOA IN

This is what I had expected.


However, most of the time my logs show lines like these below for
example after a dig like

$ sudo dig ubuntuusers.de SOA +dnssec

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> ubuntuusers.de SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35576
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ubuntuusers.de.            IN    SOA

;; ANSWER SECTION:
ubuntuusers.de.        86294    IN    SOA    ubuntuusers.de.
webmaster.ubuntuusers.de. 2006072320 10000 3600 2419200 1200

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Okt 30 08:38:33 UTC 2018
;; MSG SIZE  rcvd: 89
$


This is what unbound logs:

Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving
ubuntuusers.de. SOA IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for
ubuntuusers.de. SOA IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.>
185.49.141.37#853
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response
was ANSWER
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: resolving
ubuntuusers.de. DS IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: response for
ubuntuusers.de. DS IN
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: query response
was nodata ANSWER
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the
referral proved no DS.
Okt 30 08:36:47 dnsserver1 unbound[718]: [718:0] info: Verified that
unsigned response is INSECURE


To me, this looks like no DNSSEC and maybe no TLS-encryption, though I
see the #853s .

What is going wrong here?

Thanks for your help.

More information about the Unbound-users mailing list