unbound 1.9.1 - No DNSKEY record for key wolfssl.com. while building chain of trust - why?
Ralph Dolmans
ralph at nlnetlabs.nl
Fri Jan 3 16:00:40 UTC 2020
Hi Cristian,
I am not able to reproduce that behavior. Resolves and validates here.
Try to increase the logging verbosity in Unbound to find out if Unbound
is able to retrieve the DNSKEY record during validation. And if so why
it is discarded.
-- Ralph
On 02-01-2020 19:52, Christian 'wiwi' Wittenhorst via unbound-users wrote:
> Dear List.
>
> I am failing to understand why wolfssl.com does NOT resolve. Any hints?
>
> Jan 02 19:17:27 rdns0.edu-zg.io unbound[4948]: [4948:0] info: start of
> service (unbound 1.9.1).
> Jan 02 19:17:29 rdns0.edu-zg.io unbound[4948]: [4948:7] info: validation
> failure <wolfssl.com. A IN>: No DNSKEY record for key wolfssl.com. while
> building chain of trust
>
> "https://dnssec-analyzer.verisignlabs.com/www.wolfssl.com" does not show
> an error.
>
> Version 1.9.1
> linked libs: libevent 2.0.21-stable (it uses epoll), OpenSSL 1.0.2k-fips
> 26 Jan 2017
> linked modules: dns64 respip validator iterator
> BSD licensed, see LICENSE in source package for details.
> Report bugs to unbound-bugs at nlnetlabs.nl
>
> tcpdump shows that DNSKEYs are actually returned.
>
> [wiwi at rdns0 ~]$ whois wolfssl.com
> Domain Name: WOLFSSL.COM
> Registry Domain ID: 1725393507_DOMAIN_COM-VRSN
> Registrar WHOIS Server: whois.godaddy.com
> Registrar URL: http://www.godaddy.com
> Updated Date: 2019-06-06T16:30:17Z
> Creation Date: 2012-06-06T01:15:53Z
> Registry Expiry Date: 2020-06-06T01:15:53Z
> Registrar: GoDaddy.com, LLC
> Registrar IANA ID: 146
> Registrar Abuse Contact Email: abuse at godaddy.com
> Registrar Abuse Contact Phone: 480-624-2505
> Domain Status: clientDeleteProhibited
> https://icann.org/epp#clientDeleteProhibited
> Domain Status: clientRenewProhibited
> https://icann.org/epp#clientRenewProhibited
> Domain Status: clientTransferProhibited
> https://icann.org/epp#clientTransferProhibited
> Domain Status: clientUpdateProhibited
> https://icann.org/epp#clientUpdateProhibited
> Name Server: PDNS11.DOMAINCONTROL.COM
> Name Server: PDNS12.DOMAINCONTROL.COM
> DNSSEC: signedDelegation
> DNSSEC DS Data: 54187 8 1 586DF2D210370733A696650F1F7E2614257F12C5
> DNSSEC DS Data: 29029 8 1 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A
> URL of the ICANN Whois Inaccuracy Complaint Form:
> https://www.icann.org/wicf/
>>>> Last update of whois database: 2020-01-02T18:19:55Z <<<
>
>
> [wiwi at rdns0 ~]$ dig wolfssl.com ds @[a-m].gtld-servers.net
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ds
> @m.gtld-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34040
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 27
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;wolfssl.com. IN DS
>
> ;; ANSWER SECTION:
> wolfssl.com. 86400 IN DS 54187 8 1
> 586DF2D210370733A696650F1F7E2614257F12C5
> wolfssl.com. 86400 IN DS 29029 8 1
> 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS a.gtld-servers.net.
>
>
>
> [wiwi at rdns0 ~]$ dig wolfssl.com ns @[a-m].gtld-servers.net
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ns
> @m.gtld-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9586
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;wolfssl.com. IN NS
>
> ;; AUTHORITY SECTION:
> wolfssl.com. 172800 IN NS pdns11.domaincontrol.com.
> wolfssl.com. 172800 IN NS pdns12.domaincontrol.com.
>
> ;; ADDITIONAL SECTION:
> pdns11.domaincontrol.com. 172800 IN AAAA 2603:5:21f2::37
> pdns11.domaincontrol.com. 172800 IN A 97.74.111.55
> pdns12.domaincontrol.com. 172800 IN A 173.201.79.55
> pdns12.domaincontrol.com. 172800 IN AAAA 2603:5:22f2::37
>
>
> [wiwi at rdns0 ~]$ dig wolfssl.com dnskey +dnssec @pdns12.domaincontrol.com.
> ;; Truncated, retrying in TCP mode.
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com dnskey +dnssec
> @pdns12.domaincontrol.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12098
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1472
> ;; QUESTION SECTION:
> ;wolfssl.com. IN DNSKEY
>
> ;; ANSWER SECTION:
> wolfssl.com. 3600 IN DNSKEY 257 3 8
> AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx
> gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2
> fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b
> RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP
> tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp
> Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
> wolfssl.com. 3600 IN DNSKEY 257 3 8
> AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6
> vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ
> w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9
> gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9
> r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD
> TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
> wolfssl.com. 3600 IN DNSKEY 256 3 8
> AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1
> vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX
> L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74
> Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t
> PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn
> 2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
> wolfssl.com. 3600 IN DNSKEY 256 3 8
> AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl
> K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0
> 1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5
> foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr
> HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0
> M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
> wolfssl.com. 3600 IN RRSIG DNSKEY 8 2 3600
> 20200114231625 20191230231625 54187 wolfssl.com.
> XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR
> 8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48
> HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe
> 2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8
> asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk
> 0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==
>
> ;; AUTHORITY SECTION:
> wolfssl.com. 3600 IN NS pdns11.domaincontrol.com.
> wolfssl.com. 3600 IN NS pdns12.domaincontrol.com.
> wolfssl.com. 3600 IN RRSIG NS 8 2 3600 20200114231625
> 20191230231625 58008 wolfssl.com.
> CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl
> sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw
> wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD
> zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78
> uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV
> 3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==
>
> ;; Query time: 7 msec
> ;; SERVER: 173.201.79.55#53(173.201.79.55)
> ;; WHEN: Thu Jan 02 19:27:50 CET 2020
> ;; MSG SIZE rcvd: 1798
>
>
> 19:37:53.794666 IP (tos 0x0, ttl 60, id 60188, offset 0, flags [none],
> proto UDP (17), length 479)
> 192.54.112.30.domain > 85.158.27.148.35318: 49620- 0/5/5 (451)
> 19:37:53.795101 IP (tos 0x0, ttl 64, id 8933, offset 0, flags [none],
> proto UDP (17), length 68)
> 85.158.27.148.22524 > 192.31.80.30.domain: 21352% [1au] DNSKEY?
> wolfssl.com. (40)
> 19:37:53.808691 IP (tos 0x0, ttl 54, id 10257, offset 0, flags [none],
> proto UDP (17), length 479)
> 192.31.80.30.domain > 85.158.27.148.22524: 21352- 0/5/5 (451)
> 19:37:53.809198 IP (tos 0x0, ttl 64, id 22140, offset 0, flags [none],
> proto UDP (17), length 68)
> 85.158.27.148.28753 > 173.201.79.55.domain: 25715% [1au] DNSKEY?
> WOLfSsl.com. (40)
> 19:37:53.815973 IP (tos 0x0, ttl 55, id 63035, offset 0, flags [DF],
> proto UDP (17), length 1471)
> 173.201.79.55.domain > 85.158.27.148.28753: 25715*-| 5/0/1
> WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY,
> WOLfSsl.com. DNSKEY, WOLfSsl.com. RRSIG (1443)
> 19:37:53.816413 IP (tos 0x0, ttl 64, id 49466, offset 0, flags [none],
> proto UDP (17), length 68)
> 85.158.27.148.6099 > 97.74.111.55.domain: 11838% [1au] DNSKEY?
> WolfsSL.coM. (40)
> 19:37:53.823225 IP (tos 0x0, ttl 55, id 61130, offset 0, flags [DF],
> proto UDP (17), length 1471)
> 97.74.111.55.domain > 85.158.27.148.6099: 11838*-| 5/0/1
> WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY,
> WolfsSL.coM. DNSKEY, WolfsSL.coM. RRSIG (1443)
> 19:37:53.823740 IP (tos 0x0, ttl 64, id 48, offset 0, flags [none],
> proto UDP (17), length 68)
> 127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
> 19:37:53.823790 IP (tos 0x0, ttl 64, id 49, offset 0, flags [none],
> proto UDP (17), length 68)
> 127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
> 19:37:54.012318 IP (tos 0x0, ttl 126, id 8073, offset 0, flags [none],
> proto UDP (17), length 72)
> 81.94.121.16.55673 > 85.158.27.148.domain: 59040+ PTR?
> 136.26.31.172.in-addr.arpa. (44)
> 19:37:54.012609 IP (tos 0x0, ttl 64, id 26455, offset 0, flags [none],
> proto UDP (17), length 131)
> 85.158.27.148.domain > 81.94.121.16.55673: 59040 NXDomain* 0/1/0 (103)
> 19:37:54.070734 IP (tos 0x0, ttl 64, id 6121, offset 0, flags [none],
> proto UDP (17), length 68)
> 85.158.27.148.57732 > 192.33.14.30.domain: 58187% [1au] A?
> AS34288.NEt. (40)
> 19:37:54.085119 IP (tos 0x0, ttl 54, id 32042, offset 0, flags [none],
> proto UDP (17), length 435)
> 192.33.14.30.domain > 85.158.27.148.57732: 58187- 0/4/5 (407)
>
>
> Best regards
>
> Christian
>
> _______________________________________________
> unbound-users mailing list
> unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
More information about the Unbound-users
mailing list