retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Wed Feb 12 14:34:17 UTC 2020


Does anyone care about this? Who has tried to retrieve the TLSA record 
of elstel.com via libunbound? Why does it not return the TLSA record as 
unsafe if it is present but not signed correctly?

Am 11.02.20 um 14:51 schrieb Elmar Stellnberger:
>   Currently libunbound returns no data if no correct RRSIG can be 
> found as is currently the case for the domain elstel.com.
> Would anyone mind to change libunbound so that it returns the existent 
> TLSA record as insecure data?
> $ ./drill_TLSA elstel.com
> _443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
> $ ./dig_TLSA elstel.com
> ns name: 198.41.0.4
> ns name: 199.9.14.201
> ns name: 192.33.4.12
> ns name: 199.7.91.13
> ns name: 192.203.230.10
> ns name: 192.5.5.241
> ns name: 192.112.36.4
> ns name: 198.97.190.53
> ns name: 192.36.148.17
> ns name: 192.58.128.30
> ns name: 193.0.14.129
> ns name: 199.7.83.42
> ns name: 202.12.27.33
>
> Launch a query to find a RRset of type TLSA for zone:
> _443._tcp.elstel.com with nameservers:
> .   518400 IN NS a.root-servers.net.
> .   518400 IN NS b.root-servers.net.
> .   518400 IN NS c.root-servers.net.
> .   518400 IN NS d.root-servers.net.
> .   518400 IN NS e.root-servers.net.
> .   518400 IN NS f.root-servers.net.
> .   518400 IN NS g.root-servers.net.
> .   518400 IN NS h.root-servers.net.
> .   518400 IN NS i.root-servers.net.
> .   518400 IN NS j.root-servers.net.
> .   518400 IN NS k.root-servers.net.
> .   518400 IN NS l.root-servers.net.
> .   518400 IN NS m.root-servers.net.
>
> no response but there is a delegation in authority section:com.
>
>
> Launch a query to find a RRset of type DNSKEY for zone: .
>
> ;; DNSKEYset:
> .   172800 IN DNSKEY 257 3 8
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> .   172800 IN DNSKEY 256 3 8
> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
>
>
> ;; RRSIG of the DNSKEYset:
> .   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
>
>
> ;; chain of trust can't be validated: FAILED
>
> ;; cleanandgo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200212/41a09448/attachment-0001.htm>


More information about the Unbound-users mailing list