do.havedane.net nsec3 issue (sec_status_insecure) unbound 1.9.1

Stefan Kublinski kublinski at gmail.com
Sun Apr 28 12:07:23 UTC 2019


Hello,

I have an issue with unbound 1.9.1.

I am trying to get tlsa records from domain _25._tcp.do.havedane.net
but this fails with unbound. DNNSEC validation tools report no issues
with that domain though.

query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec
which yields NXDOMAIN and no tlsa records, but with Google Public DNS
$ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec
I do get tlsa records with ad flag

Excerpt from unbound log:

Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info: validator
operate: query _25._tcp.do.havedane.net. TLSA IN
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] debug: NameError
response failed nsec, nsec3 proof was sec_status_insecure
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info:
validate(nxdomain): sec_status_insecure

But Google Public DNS and DNSSEC validation tools[1] have/report no
issues though.

[1] https://dnssec-analyzer.verisignlabs.com/do.havedane.net and
http://dnsviz.net/d/do.havedane.net/dnssec/

I have this issue with unbound 1.9.1 from Arch repo.

With unbound 1.9.0 from Debian testing repo it works just fine
(sec_status_secure).

So is this a bug with unbound 1.9.1 or do the others not validate properly?

Regards Stefan



More information about the Unbound-users mailing list