Unbound (sometimes) fails to resolve expired entries

Sebastian Andrzej Siewior unbound-usersss at ml.breakpoint.cc
Fri Jun 12 13:53:31 UTC 2020 

On 2020-06-12 14:58:52 [+0200], Wouter Wijngaards via Unbound-users wrote:
> Hi Sebastian,
Hi Wouter,

> On 12/06/2020 14:41, Sebastian Andrzej Siewior via Unbound-users wrote:
> > I'm running here unbound 1.9.0-2+deb10u2 (1.9.0 + 3 fixes on top).
> 
> Unbound can prove, at the last piece of your log, with DNSSEC, that
> _testentry does not exist.  With an NXDOMAIN proof.  And because of
> that, that means there are no names underneath it, hence it takes that
> as the answer.
> 
> The config qname-minimisation and harden-below-nxdomain influence
> unbound for it.  You turn them off and unbound is less likely to fall
> into this behaviour.  But they are much better turned on, because they
> provide nxdomain protection for unused root domains, and qname
> minimisation is one of the few working privacy techniques.
> 
> Also there is an NXDOMAIN is really NXDOMAIN RFC standard out there,
> that says this is how it should work.

Okay.

> That is broken is that you forgot to resign the zone after adding your
> test record, hence the NSEC3 denial records prove it does not exist.  If
> unbound gets there records first, and is configured to do so, it infers
> that your sample TXT record does not exist.  If it sees the straight up
> TXT record first, it looks like it exists, and this persists in the
> cache for some time.
> 
> This happens because the zone is weird, eg. sign it again, or make an
> unsigned delegation into the _testentry subzone.  By making an unsigned
> delegation, with nameserver NS entries, and then resigning.
> 
> Another quick workaround, if you really need it is to add the TXT record
> as a local-data statement into unbound config.  Unbound can parse the
> same zoneformat as zonefiles have and then serves the local data before
> it examines if it could be gotten in some other way.

I don't operate the DNS server so I will complain to the operator then.
I was going to setup domainkey support and noticed that it sometimes
failes to verify and then I noticed that the DNS records is missing.
Then I noticed this only on my unbounds nodes after setting up Test.

Thank you for the verbose explanation Wouter.

> Best regards, Wouter

Sebastian

More information about the Unbound-users mailing list