do.havedane.net nsec3 issue (sec_status_insecure) unbound 1.9.1

Stefan Kublinski kublinski at gmail.com
Sun Apr 28 15:34:08 UTC 2019


Am So., 28. Apr. 2019 um 15:38 Uhr schrieb A. Schulze via
Unbound-users <unbound-users at nlnetlabs.nl>:
> Google DNS don't use qname minimization.
> Only if you disable qname minimisation unbound will ask havedane.net's nameserver for "_25._tcp.do" (dotted hostname) and get an answer.

That would imply that unbounds (1.9.0) implementation of qname
minimisation is broken since debians unbound default config has qname
minimisation activated.

Regards Stefan

Am So., 28. Apr. 2019 um 15:38 Uhr schrieb A. Schulze via
Unbound-users <unbound-users at nlnetlabs.nl>:
>
>
>
> Am 28.04.19 um 14:07 schrieb Stefan Kublinski via Unbound-users:
> > Hello,
> >
> > I have an issue with unbound 1.9.1.
> >
> > I am trying to get tlsa records from domain _25._tcp.do.havedane.net
> > but this fails with unbound. DNNSEC validation tools report no issues
> > with that domain though.
> >
> > query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec
> > which yields NXDOMAIN and no tlsa records, but with Google Public DNS
> > $ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec
> > I do get tlsa records with ad flag
>
> Google DNS don't use qname minimization.
>
> the nameserver for havedane.net return NXDOMAIN when I ask for _tcp.do.havedane.net.
> Then there can't be a _25._tcp.do.havedane.net.
>
> Only if you disable qname minimisation unbound will ask havedane.net's nameserver
> for "_25._tcp.do" (dotted hostname) and get an answer.
>
> the nameserver for havedane.net should get fixed:
>
> http://dnsviz.net/d/_25._tcp.do.havedane.net/dnssec/
>
> Andreas



More information about the Unbound-users mailing list