unbound 1.9.1 - No DNSKEY record for key wolfssl.com. while building chain of trust - why?
Christian 'wiwi' Wittenhorst
wiwi at progon.net
Thu Jan 2 18:52:07 UTC 2020
Dear List.
I am failing to understand why wolfssl.com does NOT resolve. Any hints?
Jan 02 19:17:27 rdns0.edu-zg.io unbound[4948]: [4948:0] info: start of
service (unbound 1.9.1).
Jan 02 19:17:29 rdns0.edu-zg.io unbound[4948]: [4948:7] info: validation
failure <wolfssl.com. A IN>: No DNSKEY record for key wolfssl.com. while
building chain of trust
"https://dnssec-analyzer.verisignlabs.com/www.wolfssl.com" does not show
an error.
Version 1.9.1
linked libs: libevent 2.0.21-stable (it uses epoll), OpenSSL 1.0.2k-fips
26 Jan 2017
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl
tcpdump shows that DNSKEYs are actually returned.
[wiwi at rdns0 ~]$ whois wolfssl.com
Domain Name: WOLFSSL.COM
Registry Domain ID: 1725393507_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-06-06T16:30:17Z
Creation Date: 2012-06-06T01:15:53Z
Registry Expiry Date: 2020-06-06T01:15:53Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse at godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited
https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited
https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited
https://icann.org/epp#clientUpdateProhibited
Name Server: PDNS11.DOMAINCONTROL.COM
Name Server: PDNS12.DOMAINCONTROL.COM
DNSSEC: signedDelegation
DNSSEC DS Data: 54187 8 1 586DF2D210370733A696650F1F7E2614257F12C5
DNSSEC DS Data: 29029 8 1 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A
URL of the ICANN Whois Inaccuracy Complaint Form:
https://www.icann.org/wicf/
>>> Last update of whois database: 2020-01-02T18:19:55Z <<<
[wiwi at rdns0 ~]$ dig wolfssl.com ds @[a-m].gtld-servers.net
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ds
@m.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34040
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wolfssl.com. IN DS
;; ANSWER SECTION:
wolfssl.com. 86400 IN DS 54187 8 1 586DF2D210370733A696650F1F7E2614257F12C5
wolfssl.com. 86400 IN DS 29029 8 1 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A
;; AUTHORITY SECTION:
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
[wiwi at rdns0 ~]$ dig wolfssl.com ns @[a-m].gtld-servers.net
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ns
@m.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9586
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wolfssl.com. IN NS
;; AUTHORITY SECTION:
wolfssl.com. 172800 IN NS pdns11.domaincontrol.com.
wolfssl.com. 172800 IN NS pdns12.domaincontrol.com.
;; ADDITIONAL SECTION:
pdns11.domaincontrol.com. 172800 IN AAAA 2603:5:21f2::37
pdns11.domaincontrol.com. 172800 IN A 97.74.111.55
pdns12.domaincontrol.com. 172800 IN A 173.201.79.55
pdns12.domaincontrol.com. 172800 IN AAAA 2603:5:22f2::37
[wiwi at rdns0 ~]$ dig wolfssl.com dnskey +dnssec @pdns12.domaincontrol.com.
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com dnskey +dnssec
@pdns12.domaincontrol.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12098
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;wolfssl.com. IN DNSKEY
;; ANSWER SECTION:
wolfssl.com. 3600 IN DNSKEY 257 3 8
AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx
gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2
fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b
RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP
tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp
Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
wolfssl.com. 3600 IN DNSKEY 257 3 8
AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6
vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ
w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9
gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9
r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD
TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
wolfssl.com. 3600 IN DNSKEY 256 3 8
AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1
vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX
L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74
Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t
PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn
2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
wolfssl.com. 3600 IN DNSKEY 256 3 8
AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl
K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0
1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5
foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr
HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0
M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
wolfssl.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200114231625
20191230231625 54187 wolfssl.com.
XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR
8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48
HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe
2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8
asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk
0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==
;; AUTHORITY SECTION:
wolfssl.com. 3600 IN NS pdns11.domaincontrol.com.
wolfssl.com. 3600 IN NS pdns12.domaincontrol.com.
wolfssl.com. 3600 IN RRSIG NS 8 2 3600 20200114231625 20191230231625
58008 wolfssl.com.
CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl
sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw
wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD
zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78
uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV
3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==
;; Query time: 7 msec
;; SERVER: 173.201.79.55#53(173.201.79.55)
;; WHEN: Thu Jan 02 19:27:50 CET 2020
;; MSG SIZE rcvd: 1798
19:37:53.794666 IP (tos 0x0, ttl 60, id 60188, offset 0, flags [none],
proto UDP (17), length 479)
192.54.112.30.domain > 85.158.27.148.35318: 49620- 0/5/5 (451)
19:37:53.795101 IP (tos 0x0, ttl 64, id 8933, offset 0, flags [none],
proto UDP (17), length 68)
85.158.27.148.22524 > 192.31.80.30.domain: 21352% [1au] DNSKEY?
wolfssl.com. (40)
19:37:53.808691 IP (tos 0x0, ttl 54, id 10257, offset 0, flags [none],
proto UDP (17), length 479)
192.31.80.30.domain > 85.158.27.148.22524: 21352- 0/5/5 (451)
19:37:53.809198 IP (tos 0x0, ttl 64, id 22140, offset 0, flags [none],
proto UDP (17), length 68)
85.158.27.148.28753 > 173.201.79.55.domain: 25715% [1au] DNSKEY?
WOLfSsl.com. (40)
19:37:53.815973 IP (tos 0x0, ttl 55, id 63035, offset 0, flags [DF],
proto UDP (17), length 1471)
173.201.79.55.domain > 85.158.27.148.28753: 25715*-| 5/0/1
WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY,
WOLfSsl.com. DNSKEY, WOLfSsl.com. RRSIG (1443)
19:37:53.816413 IP (tos 0x0, ttl 64, id 49466, offset 0, flags [none],
proto UDP (17), length 68)
85.158.27.148.6099 > 97.74.111.55.domain: 11838% [1au] DNSKEY?
WolfsSL.coM. (40)
19:37:53.823225 IP (tos 0x0, ttl 55, id 61130, offset 0, flags [DF],
proto UDP (17), length 1471)
97.74.111.55.domain > 85.158.27.148.6099: 11838*-| 5/0/1
WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY,
WolfsSL.coM. DNSKEY, WolfsSL.coM. RRSIG (1443)
19:37:53.823740 IP (tos 0x0, ttl 64, id 48, offset 0, flags [none],
proto UDP (17), length 68)
127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
19:37:53.823790 IP (tos 0x0, ttl 64, id 49, offset 0, flags [none],
proto UDP (17), length 68)
127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
19:37:54.012318 IP (tos 0x0, ttl 126, id 8073, offset 0, flags [none],
proto UDP (17), length 72)
81.94.121.16.55673 > 85.158.27.148.domain: 59040+ PTR?
136.26.31.172.in-addr.arpa. (44)
19:37:54.012609 IP (tos 0x0, ttl 64, id 26455, offset 0, flags [none],
proto UDP (17), length 131)
85.158.27.148.domain > 81.94.121.16.55673: 59040 NXDomain* 0/1/0 (103)
19:37:54.070734 IP (tos 0x0, ttl 64, id 6121, offset 0, flags [none],
proto UDP (17), length 68)
85.158.27.148.57732 > 192.33.14.30.domain: 58187% [1au] A?
AS34288.NEt. (40)
19:37:54.085119 IP (tos 0x0, ttl 54, id 32042, offset 0, flags [none],
proto UDP (17), length 435)
192.33.14.30.domain > 85.158.27.148.57732: 58187- 0/4/5 (407)
Best regards
Christian
More information about the Unbound-users
mailing list