Query forwarding & DNSSEC

Havard Eidnes he at uninett.no
Thu Sep 26 16:32:48 UTC 2019


following up to my own question with a little more information:

> However, for whatever reason, lookups in what can be called the
> "local domain" fails with SERVFAIL.  Cranking up the logging of
> unbound, I find in the log
> info: Could not establish a chain of trust to keys for example.no. DNSKEY IN
> (actual name withheld).  I've run "dig" towards both of the
> forward-addr listed name servers, and they both return a "nodata"
> response when queried for the DNSKEY or the DS record for the
> "example.no" domain (as they should).  So why does unbound think
> it has a DNSKEY to validate against?!?

Actually, when I do

dig @<local-upstream-resolver> example.no. ds

what I get back is a "nodata" response, but the authority section
contains the example.no SOA record (and the AA flag is set), and
not the .NO SOA, as it should if the upstream name servers knew
the special rule for placement of authority for the DS record
(which rests with the parents), which the upstream name servers
apparently don't.  And of course, since the upstreams don't do
DNSSEC validation, no DNSSEC proof of the non-existence of the DS
record is provided.  The .NO domain is signed, so unbound is
probably unable to verify that there is no DS record for the
example.no zone...  ...in which case the error message logged
could be a little bit clearer...


- Håvard

More information about the Unbound-users mailing list