retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Tue Feb 11 13:51:19 UTC 2020


   Currently libunbound returns no data if no correct RRSIG can be found 
as is currently the case for the domain elstel.com.
Would anyone mind to change libunbound so that it returns the existent 
TLSA record as insecure data?

$ ./drill_TLSA elstel.com
_443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865

$ ./dig_TLSA elstel.com
ns name: 198.41.0.4
ns name: 199.9.14.201
ns name: 192.33.4.12
ns name: 199.7.91.13
ns name: 192.203.230.10
ns name: 192.5.5.241
ns name: 192.112.36.4
ns name: 198.97.190.53
ns name: 192.36.148.17
ns name: 192.58.128.30
ns name: 193.0.14.129
ns name: 199.7.83.42
ns name: 202.12.27.33

Launch a query to find a RRset of type TLSA for zone:
_443._tcp.elstel.com with nameservers:
.   518400 IN NS a.root-servers.net.
.   518400 IN NS b.root-servers.net.
.   518400 IN NS c.root-servers.net.
.   518400 IN NS d.root-servers.net.
.   518400 IN NS e.root-servers.net.
.   518400 IN NS f.root-servers.net.
.   518400 IN NS g.root-servers.net.
.   518400 IN NS h.root-servers.net.
.   518400 IN NS i.root-servers.net.
.   518400 IN NS j.root-servers.net.
.   518400 IN NS k.root-servers.net.
.   518400 IN NS l.root-servers.net.
.   518400 IN NS m.root-servers.net.

no response but there is a delegation in authority section:com.


Launch a query to find a RRset of type DNSKEY for zone: .

;; DNSKEYset:
.   172800 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.   172800 IN DNSKEY 256 3 8
AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=


;; RRSIG of the DNSKEYset:
.   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
/iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==


;; chain of trust can't be validated: FAILED

;; cleanandgo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200211/3158dca0/attachment.htm>
-------------- next part --------------
#!/bin/bash

if [[ "$1" == "--help" ]]; then
  echo drill_TLSA [a] debian.org

else
  dns=a.root-servers.net 
  let quiet=0
  while [[ $# -gt 1 ]]; do
    if [[ "$1" = "-q" ]]; then let quiet=1
    else dns=$1.root-servers.net
    fi
    shift;
  done

  drill $dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA _443._tcp.$1 | egrep -v "^(;.*)?$"
fi

-------------- next part --------------
#!/bin/bash

if [[ "$1" == "--help" ]]; then
  echo dig_TLSA [a] debian.org

else
  dns=a.root-servers.net 
  let quiet=0
  while [[ $# -gt 1 ]]; do
    if [[ "$1" = "-q" ]]; then let quiet=1
    else dns=$1.root-servers.net
    fi
    shift;
  done

  if [[ quiet -eq 0 ]]; then 
    dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA _443._tcp.$1
  else
    dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA _443._tcp.$1 | grep ^_443._tcp.$1
  fi

fi



More information about the Unbound-users mailing list