retrieve TLSA record also if it is not secured by DNSSEC

Wouter Wijngaards wouter at nlnetlabs.nl
Wed Feb 12 12:33:13 UTC 2020


Hi Elmar,

On 11/02/2020 14:51, Elmar Stellnberger via Unbound-users wrote:
>   Currently libunbound returns no data if no correct RRSIG can be found
> as is currently the case for the domain elstel.com.
> Would anyone mind to change libunbound so that it returns the existent
> TLSA record as insecure data?

What you are using is drill.  This is not libunbound.

Libunbound returns the data always, but signals security and insecurity
with flags in the result structure.
https://www.nlnetlabs.nl/documentation/unbound/libunbound/

You seem to be talking about wanting drills sigchase printout to print
different output for output with wrong RRSIGs?  Sounds like a change for
the ldns package.  Not sure if that is better debug output for that tool.

unbound-host can also perform lookups, also of type TLSA and print them,
and DNSSEC verify them.  And prints the verification output together
with the data, which may be what you want.  unbound-host uses libunbound
for that.

$ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
_443._tcp.elstel.com has TLSA record 3 0 1
A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 (secure)

Best regards, Wouter

> 
> $ ./drill_TLSA elstel.com
> _443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
> 
> $ ./dig_TLSA elstel.com
> ns name: 198.41.0.4
> ns name: 199.9.14.201
> ns name: 192.33.4.12
> ns name: 199.7.91.13
> ns name: 192.203.230.10
> ns name: 192.5.5.241
> ns name: 192.112.36.4
> ns name: 198.97.190.53
> ns name: 192.36.148.17
> ns name: 192.58.128.30
> ns name: 193.0.14.129
> ns name: 199.7.83.42
> ns name: 202.12.27.33
> 
> Launch a query to find a RRset of type TLSA for zone: 
> _443._tcp.elstel.com with nameservers:
> .   518400 IN NS a.root-servers.net.
> .   518400 IN NS b.root-servers.net.
> .   518400 IN NS c.root-servers.net.
> .   518400 IN NS d.root-servers.net.
> .   518400 IN NS e.root-servers.net.
> .   518400 IN NS f.root-servers.net.
> .   518400 IN NS g.root-servers.net.
> .   518400 IN NS h.root-servers.net.
> .   518400 IN NS i.root-servers.net.
> .   518400 IN NS j.root-servers.net.
> .   518400 IN NS k.root-servers.net.
> .   518400 IN NS l.root-servers.net.
> .   518400 IN NS m.root-servers.net.
> 
> no response but there is a delegation in authority section:com.
> 
> 
> Launch a query to find a RRset of type DNSKEY for zone: .
> 
> ;; DNSKEYset:
> .   172800 IN DNSKEY 257 3 8 
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 
> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv 
> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 
> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e 
> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd 
> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> .   172800 IN DNSKEY 256 3 8 
> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH 
> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW 
> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz 
> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ 
> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL 
> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
> 
> 
> ;; RRSIG of the DNSKEYset:
> .   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000 
> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq 
> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa 
> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q 
> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2 
> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv 
> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
> 
> 
> ;; chain of trust can't be validated: FAILED
> 
> ;; cleanandgo
> 


More information about the Unbound-users mailing list