DNSSEC validation in CentOS Stream 9

Josef Vybíhal josef.vybihal at gmail.com
Thu Sep 8 06:42:42 UTC 2022


Hello everyone,
maybe this will be obvious to some, but I have been scratching my head
about this since yesterday.

In CentOS Stream 9, when unbound installed from Appstream, I see that
unbound returns insecure replies to clients. Which is not what I want,
nor what I am used to. I am thinking this might be a packaging bug,
compile option or config setting, but I can not figure out which and
where. I am testing with untouched rpm package config.


CentOS Stream 9 example:
[root at 18 ~]# dig sigfail.verteiltesysteme.net @127.1 +short
134.91.78.139
[root at 18 ~]# unbound-host -C /etc/unbound/unbound.conf -v
sigfail.verteiltesysteme.net
Sep 08 08:36:33 libunbound[9948:0] notice: init module 0: ipsecmod
Sep 08 08:36:33 libunbound[9948:0] notice: init module 1: validator
Sep 08 08:36:33 libunbound[9948:0] notice: init module 2: iterator
sigfail.verteiltesysteme.net has address 134.91.78.139 (insecure)
sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
sigfail.verteiltesysteme.net has no mail handler record (insecure)
[root at 18 ~]# unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
Sep 08 08:36:37 libunbound[9951:0] notice: init module 0: ipsecmod
Sep 08 08:36:37 libunbound[9951:0] notice: init module 1: validator
Sep 08 08:36:37 libunbound[9951:0] notice: init module 2: iterator
sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
sigok.verteiltesysteme.net has no mail handler record (insecure)
[root at 18 ~]# unbound -V
Version 1.16.2

Configure line: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --program-prefix=
--disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
--libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-pythonmodule --with-pyunbound
PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2
--with-libevent --with-pthreads --with-ssl --disable-rpath
--disable-static --enable-relro-now --enable-pie --enable-subnet
--enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf
--with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost
--enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key
--enable-linux-ip-local-port-range --disable-sha1
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021
Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl or
https://github.com/NLnetLabs/unbound/issues
[root at 18 ~]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

[root at 18 ~]# dig www.dnssec-failed.org @127.1 +short
69.252.193.191
68.87.109.242

[root at 18 ~]# cat /var/lib/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1662618997 ;;Thu Sep  8 08:36:37 2022
;;last_success: 1662618997 ;;Thu Sep  8 08:36:37 2022
;;next_probe_time: 1662660868 ;;Thu Sep  8 20:14:28 2022
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0
;;lastchange=1662618437 ;;Thu Sep  8 08:27:17 2022




-----------

CentOS Stream 8 for comparison:
webserver ~ # dig sigfail.verteiltesysteme.net @127.1

; <<>> DiG 9.11.36-RedHat-9.11.36-4.el8 <<>> sigfail.verteiltesysteme.net @127.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23912
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 08 08:39:32 CEST 2022
;; MSG SIZE  rcvd: 57

webserver ~ # unbound-host -C /etc/unbound/unbound.conf -v
sigfail.verteiltesysteme.net
Sep 08 08:39:43 libunbound[183908:0] notice: init module 0: ipsecmod
Sep 08 08:39:43 libunbound[183908:0] notice: init module 1: validator
Sep 08 08:39:43 libunbound[183908:0] notice: init module 2: iterator
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS
(security failure))
validation failure <sigfail.verteiltesysteme.net. A IN>: misc failure
sigfail.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
(BOGUS (security failure))
validation failure <sigfail.verteiltesysteme.net. AAAA IN>: misc failure
sigfail.verteiltesysteme.net has no mail handler record (secure)
webserver ~ # unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
Sep 08 08:39:50 libunbound[183911:0] notice: init module 0: ipsecmod
Sep 08 08:39:50 libunbound[183911:0] notice: init module 1: validator
Sep 08 08:39:50 libunbound[183911:0] notice: init module 2: iterator
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure)
sigok.verteiltesysteme.net has no mail handler record (secure)
webserver ~ # unbound -V
Version 1.16.2

Configure line: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --program-prefix=
--disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
--libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-pythonmodule --with-pyunbound
PYTHON=/usr/libexec/platform-python --with-libevent --with-pthreads
--with-ssl --disable-rpath --disable-static --enable-relro-now
--enable-pie --enable-subnet --enable-ipsecmod
--with-conf-file=/etc/unbound/unbound.conf
--with-pidfile=/var/run/unbound/unbound.pid --enable-sha2
--disable-gost --enable-ecdsa
--with-rootkey-file=/var/lib/unbound/root.key
--enable-linux-ip-local-port-range
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1k
FIPS 25 Mar 2021
Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl or
https://github.com/NLnetLabs/unbound/issues
webserver ~ # dig www.dnssec-failed.org @127.1

; <<>> DiG 9.11.36-RedHat-9.11.36-4.el8 <<>> www.dnssec-failed.org @127.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30826
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 975 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 08 08:40:04 CEST 2022
;; MSG SIZE  rcvd: 50


More information about the Unbound-users mailing list