Unbound (sometimes) fails to resolve expired entries
Wouter Wijngaards
wouter at nlnetlabs.nl
Fri Jun 12 12:58:52 UTC 2020
Hi Sebastian,
On 12/06/2020 14:41, Sebastian Andrzej Siewior via Unbound-users wrote:
> I'm running here unbound 1.9.0-2+deb10u2 (1.9.0 + 3 fixes on top).
Unbound can prove, at the last piece of your log, with DNSSEC, that
_testentry does not exist. With an NXDOMAIN proof. And because of
that, that means there are no names underneath it, hence it takes that
as the answer.
The config qname-minimisation and harden-below-nxdomain influence
unbound for it. You turn them off and unbound is less likely to fall
into this behaviour. But they are much better turned on, because they
provide nxdomain protection for unused root domains, and qname
minimisation is one of the few working privacy techniques.
Also there is an NXDOMAIN is really NXDOMAIN RFC standard out there,
that says this is how it should work.
That is broken is that you forgot to resign the zone after adding your
test record, hence the NSEC3 denial records prove it does not exist. If
unbound gets there records first, and is configured to do so, it infers
that your sample TXT record does not exist. If it sees the straight up
TXT record first, it looks like it exists, and this persists in the
cache for some time.
This happens because the zone is weird, eg. sign it again, or make an
unsigned delegation into the _testentry subzone. By making an unsigned
delegation, with nameserver NS entries, and then resigning.
Another quick workaround, if you really need it is to add the TXT record
as a local-data statement into unbound config. Unbound can parse the
same zoneformat as zonefiles have and then serves the local data before
it examines if it could be gotten in some other way.
Best regards, Wouter
>
> I added a TXT record for testing. That record resolves fine on the first
> query which is fetched from the upstream DNS-server. Once TTL of the
> record expires the record is fetched again and the TTL is 1h.
> Sometimes I see NXDOMAIN reply with the SOA record instead. Looking at
> the query time, unbound did something. Looking at the TTL it appears
> that unbound thinks that this record is not existing based on DNSSEC.
>
> Here is a sample:
>
> | ;small._testentry.breakpoint.cc. IN TXT
> |
> | ;; ANSWER SECTION:
> | small._testentry.breakpoint.cc. 1533 IN TXT "23F678951D8D4 2 535BD23F678951D8D67FF18184AD1E4DCDA4718A1E0614DB4263463778769B1FC240A3586668CA62472070243CD154460B3BF3B16E7F808C8DD3362F 8A329BEA67Fa3529ac6407975eceba96aed90948fbd8b34753fF18184AD1E4DCDA4718A1E0614DB45B8B17CD8076DEBF5647C6E18C516DDF3D9D209" "C263463778769B1FC240A"
> | small._testentry.breakpoint.cc. 1533 IN RRSIG TXT 8 4 3600 20200625000000 20200604000000 17836 breakpoint.cc. faJFAX0IuV8pefY7TULpfeD3Z2LaZVTTaazjfp5ef4frZlwdHy+3P5NX jfT/X8+KVvP8zkKV eq1Cqz/VR74Ff99fNcW7wnwM6bYHDWd2fR7E0qhO bQ4QEGrA0chFKAYKc71Jhqv9qduYzQiPkJWB1GLo2YCzLP6wPWlV0S0E 0TI=
> |
> | ;; Query time: 0 msec
> | ;; WHEN: Fr Jun 12 12:51:50 CEST 2020
>
> matching unbound log is:
> | Jun 12 12:51:50 unbound[909:1] query: 1.1.1.1 small._testentry.breakpoint.cc. TXT IN
> | Jun 12 12:51:50 unbound[909:1] reply: 1.1.1.1 small._testentry.breakpoint.cc. TXT IN NOERROR 0.000000 1 522
>
> The follwing query (after expired TTL) failed:
>
> | ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> txt small._testentry.breakpoint.cc +dnssec
> | ;; global options: +cmd
> | ;; Got answer:
> | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19288
> | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> |
> | ;; OPT PSEUDOSECTION:
> | ; EDNS: version: 0, flags: do; udp: 4096
> | ;; QUESTION SECTION:
> | ;small._testentry.breakpoint.cc. IN TXT
> |
> | ;; AUTHORITY SECTION:
> | breakpoint.cc. 3600 IN SOA ns.domrobot.com. hostmaster.inwx.de. 2020061002 10800 3600 604800 3600
> | breakpoint.cc. 3600 IN RRSIG SOA 8 2 86400 20200625000000 20200604000000 17836 breakpoint.cc. iTHewyyuXaKwOrvsCg9u0NpdB3VuwzxZxPsK/QumBLRYVkKLGmoaC4ZJ 9f+QUnHkWD9XxPp e4KMHcQJLFjJq7ps9wVYimHk+1a9jlX253OrOpQcD bUWU0eP0URr3vabert76Z/qAWD/k/BMky0b49RIrvtR1y7w8tacGs4Uy M6g=
> | qbhcs6199or0dl4i4bar1i7n3cc1vqpn.breakpoint.cc. 216 IN NSEC3 1 0 1 AB S83Q2OVGP0E7FHQJNV7J5V5LB6CSPEFN A NS SOA MX TXT AAAA SSHFP RRSIG DNSKEY NSEC3PARAM CAA
> | qbhcs6199or0dl4i4bar1i7n3cc1vqpn.breakpoint.cc. 216 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. G24QTyKjAy5gL01kF5PEEm42BazFCb+a13hWnUxwwUpIjxTXay7sY5Ds y IeKrPTJoP653S1T3yDPf8pwdS+ed5somE/aH1bk5bkaTQhQfKCEuQeD cq4lAsjb7YSTYtkQn2BDW2GxlX5D2GE35BpnaFnN89z854ah+nFKNBQj WC0=
> | dn0b8grfgs3s9r91kclagbqcjsu75kf2.breakpoint.cc. 3600 IN NSEC3 1 0 1 AB F6GSHJ9K6R5D0APP3V0QD425LOQ2OL3T CNAME RRSIG
> | dn0b8grfgs3s9r91kclagbqcjsu75kf2.breakpoint.cc. 3600 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. KKuqLp6vlq3KGp8pffg+MfTYIJb0KtoGLQYqNn/iPw8IfiZRHEwohaAu s1RDenaCFE/0Y4rjljBq0G1Gg2AF1F0foQTyTmnp6O3Aq+7Wd/HR/+lc AbPgXrNOIWc7PxztssBxbH5KNtLOkuy4UpRhABJ6O66rSZMdNJHNq4/X LgA=
> | s83q2ovgp0e7fhqjnv7j5v5lb6cspefn.breakpoint.cc. 216 IN NSEC3 1 0 1 AB TCBNVRBS8UKG82HKM6DIC67R68OEV8H6 MX TXT RRSIG
> | s83q2ovgp0e7fhqjnv7j5v5lb6cspefn.breakpoint.cc. 216 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. QhYmntdlFwOOLwxHeentJTGgbFIE+AVeiEuyak2G7W9bSwCm5S2IoAYR i d9gdFry914xxbgZ1USpInclp/0Di+ZBb9YBID5XUIbTz41AnlVGtuTV sd1J9m8URjGmlgTVElSs7PskcMBAvtri+OAIlHRDQbo/2HTJ3pH3nadu jgw=
> |
> | ;; Query time: 58 msec
> | ;; WHEN: Fr Jun 12 13:20:51 CEST 2020
> | ;; MSG SIZE rcvd: 1064
>
> The matching unbound.log at that time:
>
> |Jun 12 13:20:51 unbound[909:0] query: 1.1.1.1 small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (1 missing), 9 addrs (0 result, 9 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. A
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: resolving (init part 2): small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving (init part 3): small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: processQueryTargets: small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (1 missing), 9 addrs (0 result, 9 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. A
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: new target ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: sending query: _testentry.breakpoint.cc. A IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
> |;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> |;; QUESTION SECTION:
> |ns.domrobot.org. IN AAAA
> |
> |;; ANSWER SECTION:
> |
> |;; AUTHORITY SECTION:
> |domrobot.org. 3408 IN SOA ns.domrobot.com. hostmaster.inwx.de. 2020042700 10800 3600 604800 3600
> |
> |;; ADDITIONAL SECTION:
> |;; MSG SIZE rcvd: 102
> |
> |Jun 12 13:20:51 unbound[909:0] info: finishing processing for ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: processTargetResponse ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: processTargetResponse super small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: processQueryTargets: small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (0 missing), 9 addrs (9 result, 0 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 2155 recursion replies sent, 0 replies dropped, 0 states jostled out
> |Jun 12 13:20:51 unbound[909:0] info: average recursion processing time 0.146111 sec
> |Jun 12 13:20:51 unbound[909:0] info: 0RDd mod2 rep small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: scrub for breakpoint.cc. NS IN
> |Jun 12 13:20:51 unbound[909:0] info: response for small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: reply from <breakpoint.cc.> 46.165.212.97#53
> |Jun 12 13:20:51 unbound[909:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0
> |;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
> |;; QUESTION SECTION:
> |_testentry.breakpoint.cc. IN A
> |
> |;; ANSWER SECTION:
> |
> |;; AUTHORITY SECTION:
> |breakpoint.cc. 3600 IN SOA ns.domrobot.com. hostmaster.inwx.de. 2020061002 10800 3600 604800 3600
> |breakpoint.cc. 3600 IN RRSIG SOA 8 2 86400 20200625000000 20200604000000 17836 breakpoint.cc. iTHewyyuXaKwOrvsCg9u0NpdB3VuwzxZxPsK/QumBLRYVkKLGmoaC4ZJ9f+QUnHkWD9XxPpe4KMHcQJLFjJq7ps9wVYimHk+1a9jlX253OrOpQcDbUWU0eP0URr3vabert76Z/qAWD/k/BMky0b49RIrvtR1y7w8tacGs4UyM6g= ;{id = 17836}
> |qbhcs6199or0dl4i4bar1i7n3cc1vqpn.breakpoint.cc. 3600 IN NSEC3 1 0 1 AB s83q2ovgp0e7fhqjnv7j5v5lb6cspefn A NS SOA MX TXT AAAA SSHFP RRSIG DNSKEY NSEC3PARAM CAA
> |qbhcs6199or0dl4i4bar1i7n3cc1vqpn.breakpoint.cc. 3600 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. G24QTyKjAy5gL01kF5PEEm42BazFCb+a13hWnUxwwUpIjxTXay7sY5DsyIeKrPTJoP653S1T3yDPf8pwdS+ed5somE/aH1bk5bkaTQhQfKCEuQeDcq4lAsjb7YSTYtkQn2BDW2GxlX5D2GE35BpnaFnN89z854ah+nFKNBQjWC0= ;{id = 17836}
> |dn0b8grfgs3s9r91kclagbqcjsu75kf2.breakpoint.cc. 3600 IN NSEC3 1 0 1 AB f6gshj9k6r5d0app3v0qd425loq2ol3t CNAME RRSIG
> |dn0b8grfgs3s9r91kclagbqcjsu75kf2.breakpoint.cc. 3600 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. KKuqLp6vlq3KGp8pffg+MfTYIJb0KtoGLQYqNn/iPw8IfiZRHEwohaAus1RDenaCFE/0Y4rjljBq0G1Gg2AF1F0foQTyTmnp6O3Aq+7Wd/HR/+lcAbPgXrNOIWc7PxztssBxbH5KNtLOkuy4UpRhABJ6O66rSZMdNJHNq4/XLgA= ;{id = 17836}
> |s83q2ovgp0e7fhqjnv7j5v5lb6cspefn.breakpoint.cc. 3600 IN NSEC3 1 0 1 AB tcbnvrbs8ukg82hkm6dic67r68oev8h6 MX TXT RRSIG
> |s83q2ovgp0e7fhqjnv7j5v5lb6cspefn.breakpoint.cc. 3600 IN RRSIG NSEC3 8 3 3600 20200625000000 20200604000000 17836 breakpoint.cc. QhYmntdlFwOOLwxHeentJTGgbFIE+AVeiEuyak2G7W9bSwCm5S2IoAYRid9gdFry914xxbgZ1USpInclp/0Di+ZBb9YBID5XUIbTz41AnlVGtuTVsd1J9m8URjGmlgTVElSs7PskcMBAvtri+OAIlHRDQbo/2HTJ3pH3nadujgw= ;{id = 17836}
> |
> |;; ADDITIONAL SECTION:
> |;; MSG SIZE rcvd: 1047
> |
> |Jun 12 13:20:51 unbound[909:0] info: query response was NXDOMAIN ANSWER
> |Jun 12 13:20:51 unbound[909:0] info: finishing processing for small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: signer is breakpoint.cc. TYPE0 CLASS0
> |Jun 12 13:20:51 unbound[909:0] info: validator: FindKey small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: current keyname cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: target keyname breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: next keyname breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: verify rrset cached breakpoint.cc. DS IN
> |Jun 12 13:20:51 unbound[909:0] info: validated DS breakpoint.cc. DS IN
> |Jun 12 13:20:51 unbound[909:0] info: validator: FindKey small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: current keyname cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: target keyname breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: next keyname breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: DS RRset breakpoint.cc. DS IN
> |Jun 12 13:20:51 unbound[909:0] info: generate request breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (1 missing), 9 addrs (0 result, 9 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. A
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: resolving (init part 2): breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving (init part 3): breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: processQueryTargets: breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (1 missing), 9 addrs (0 result, 9 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. A
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: new target ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: sending query: breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: resolving ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
> |;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> |;; QUESTION SECTION:
> |ns.domrobot.org. IN AAAA
> |
> |;; ANSWER SECTION:
> |
> |;; AUTHORITY SECTION:
> |domrobot.org. 3408 IN SOA ns.domrobot.com. hostmaster.inwx.de. 2020042700 10800 3600 604800 3600
> |
> |;; ADDITIONAL SECTION:
> |;; MSG SIZE rcvd: 102
> |
> |Jun 12 13:20:51 unbound[909:0] info: finishing processing for ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: processTargetResponse ns.domrobot.org. AAAA IN
> |Jun 12 13:20:51 unbound[909:0] info: processTargetResponse super breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: processQueryTargets: breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: DelegationPoint<breakpoint.cc.>: 5 names (0 missing), 9 addrs (9 result, 0 avail) cacheNS
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.biz. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.info. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.org. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.net. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: ns.domrobot.com. * A AAAA
> |Jun 12 13:20:51 unbound[909:0] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 1 waiting replies, 2155 recursion replies sent, 0 replies dropped, 0 states jostled out
> |Jun 12 13:20:51 unbound[909:0] info: average recursion processing time 0.146111 sec
> |Jun 12 13:20:51 unbound[909:0] info: 0vRDCD mod2 breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: 1RDdc mod1 rep small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: iterator operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: scrub for breakpoint.cc. NS IN
> |Jun 12 13:20:51 unbound[909:0] info: response for breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: reply from <breakpoint.cc.> 176.97.158.104#53
> |Jun 12 13:20:51 unbound[909:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
> |;; flags: qr aa ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> |;; QUESTION SECTION:
> |breakpoint.cc. IN DNSKEY
> |
> |;; ANSWER SECTION:
> |breakpoint.cc. 3600 IN DNSKEY 256 3 8 AwEAAaN8AgmIx2O3OkzW0YkqVSxC5nN/GafK40hkKb3JbYkpy7hPU1odw5Qcta6BZiuC1uUUOsDjMq8sbc+jt7iIBiwsCYqmM9biK0RGtYO3QT6G34SMpLhiqZpk2YsN7XThjVr8gm+Cz44Prp/rG8sR5EaKajsElzKh4HKgl3b3L22b ;{id = 17836 (zsk), size = 1024b}
> |breakpoint.cc. 3600 IN DNSKEY 257 3 8 AwEAAcXGzJMyf+B0H1flxTBJjyNou1EvXED6l7yGzHXlfbIh7mmnKco+yU6W0NFLQtcjotck+Uy7+jqb0PP3oiYT0JzGyaGNLSwZsu5Sgc7LG87c4V6zzuAkk+cm71zbEX5w3+XZANi9T6bzJVv2tpAg2VIjr50DCUzNJ3fE1csF7CeLOY1GCCBJF6FejKbzKFX4M4jApmNbPl3dZUs0SmBNiJxbGiKRn9drhpXDSVwhjrl20m6oh+lqz6kdQTHZ2wtS98FkyXcqMcklAaIMwFFPvb8ETPqDje7Hu5dNbWMegdfMYzfqv+bOlwBVLHrKy1LdbHma47K/O7axsnNzNOwJB8c= ;{id = 9361 (ksk), size = 2048b}
> |breakpoint.cc. 3600 IN RRSIG DNSKEY 8 2 3600 20200625000000 20200604000000 9361 breakpoint.cc. Dg5k0nHbX+7+hwbNdCJQgeWkEVLpNw0rX3tIn8uAnosJYISpxIkuQUC5HhDL0BIzcBWK/N329lHvJfvQs0g46ZMXYmu+GORx/lPj9+7byFcKz/bfxZoFf63SfVGXvXzC6nMmpcjp4ornqcPwAls6+zNdNmjBvo5kqC3D+yu7H22AcrlJdquEk5PMOBqhwHbP6rkFEPUbszw4mGWCedzUGbROn10mZSnWTBk3nOPrDCplV8s+dfLd4EWobuewMFD0BT/mZJb1+Kh9AQIenSXhvzYrzTHV+CWJMKemXs8j0+MbkmFLC29gFAHTAJ14I0uo+ABPptstcmpHxSMD46sA7w== ;{id = 9361}
> |
> |;; AUTHORITY SECTION:
> |
> |;; ADDITIONAL SECTION:
> |;; MSG SIZE rcvd: 756
> |
> |Jun 12 13:20:51 unbound[909:0] info: query response was ANSWER
> |Jun 12 13:20:51 unbound[909:0] info: finishing processing for breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: validator: inform_super, sub is breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: super is small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: validated DNSKEY breakpoint.cc. DNSKEY IN
> |Jun 12 13:20:51 unbound[909:0] info: validator operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: validator: FindKey small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: verify rrset breakpoint.cc. SOA IN
> |Jun 12 13:20:51 unbound[909:0] info: verify rrset cached qbhcs6199or0dl4i4bar1i7n3cc1vqpn.breakpoint.cc. NSEC3 IN
> |Jun 12 13:20:51 unbound[909:0] info: verify rrset dn0b8grfgs3s9r91kclagbqcjsu75kf2.breakpoint.cc. NSEC3 IN
> |Jun 12 13:20:51 unbound[909:0] info: verify rrset cached s83q2ovgp0e7fhqjnv7j5v5lb6cspefn.breakpoint.cc. NSEC3 IN
> |Jun 12 13:20:51 unbound[909:0] info: start nsec3 nameerror proof, zone breakpoint.cc. TYPE0 CLASS0
> |Jun 12 13:20:51 unbound[909:0] info: ce candidate breakpoint.cc. TYPE0 CLASS0
> |Jun 12 13:20:51 unbound[909:0] info: nsec3 nameerror: proven ce= breakpoint.cc. TYPE0 CLASS0
> |Jun 12 13:20:51 unbound[909:0] info: validate(nxdomain): sec_status_secure
> |Jun 12 13:20:51 unbound[909:0] info: validation success small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] info: subnet operate: query small._testentry.breakpoint.cc. TXT IN
> |Jun 12 13:20:51 unbound[909:0] reply: 1.1.1.1 small._testentry.breakpoint.cc. TXT IN NXDOMAIN 0.056360 0 1064
>
> Could this have something todo with "qname-minimisation: yes" ?
>
> Sebastian
>
More information about the Unbound-users
mailing list