do.havedane.net nsec3 issue (sec_status_insecure) unbound 1.9.1
A. Schulze
sca at andreasschulze.de
Sun Apr 28 13:37:30 UTC 2019
Am 28.04.19 um 14:07 schrieb Stefan Kublinski via Unbound-users:
> Hello,
>
> I have an issue with unbound 1.9.1.
>
> I am trying to get tlsa records from domain _25._tcp.do.havedane.net
> but this fails with unbound. DNNSEC validation tools report no issues
> with that domain though.
>
> query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec
> which yields NXDOMAIN and no tlsa records, but with Google Public DNS
> $ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec
> I do get tlsa records with ad flag
Google DNS don't use qname minimization.
the nameserver for havedane.net return NXDOMAIN when I ask for _tcp.do.havedane.net.
Then there can't be a _25._tcp.do.havedane.net.
Only if you disable qname minimisation unbound will ask havedane.net's nameserver
for "_25._tcp.do" (dotted hostname) and get an answer.
the nameserver for havedane.net should get fixed:
http://dnsviz.net/d/_25._tcp.do.havedane.net/dnssec/
Andreas
More information about the Unbound-users
mailing list