Hello,
I've tried using unbound with automatic root trust anchor and it works
as expected, that is resolving not SERVFAILing unsigned domains.
When I add DLV trust anchor validator seems to mark even unsigned domains
as bogus. Is this intended?
Cheers,
Alan
Hi Alan,
Hi Wouter,
DLV validation is working for the domain with the DLV record in my DLV zone, but
everything unsigned is automatically bogus. I have the same DLV configured in bind
resolver and it works fine there: root anchor is checked first, then DLV and if
neither contains DS/DLV for the domain then the domain is unsigned and answer is
returned to the client.
Querying signed domain with DLV anchor:
$ dig sec.tst.hr @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2537
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
$ dig sec.tst.hr @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38124
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
Querying signed domain with root anchor:
$ dig nlnetlabs.nl @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43298
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
$ dig nlnetlabs.nl @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30066
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
The issue comes up when I query unsigned domain:
$ dig carnet.hr @193.198.241.11 # bind resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26035
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
$ dig carnet.hr @193.198.241.48 # unbound resolver
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36322
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Hope that helps 
Alan
Hi Alan,
Can you provide details logs about what happens when you query
carnet.hr and get SERVFAIL? Like, with verbosity 4, val-log-level: 2.
That should also printout a reason for the servfail in the logs. If
it works for bind, then the bug must be in unbound.
Best regards,
Wouter
Wouter,
Complete log for the unsigned domain query can be found here: http://pastebin.com/CBSM4pEz
It looks like unbound behaves differently for DLV trust anchor. It expects DNSSEC and when
it receives NXDOMAIN for DLV query the result is an error and SERVFAIL to the user.
Cheers,
Alan
Hi Alan,
You log stops just when it gets interesting - what it does with the
NSEC3 response to a DLV lookup for your DLV repository. But anyway, I
can see why it fails. Unbound only supports DLV with NSEC, so that it
can do aggressive negative caching with that. It has not implemented
the mandatory aggressive negative DLV caching for NSEC3. You should
change your private dlv repository and sign it with NSEC.
Best regards,
Wouter
OK, I'm glad it's not a bug
Thanks for helping out.
Alan