DLV records for ORG have been inserted into dlv.isc.org

Unbound
1

a message of 8 lines which said:

For those of you using DLV in your resolvers, ORG should have appeared a
few minutes ago.

It works with BIND+DLV :

% dig +dnssec SOA bondis.org
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
...

Not with Unbound+DLV:

% dig +dnssec SOA automagic.org
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9192

(All the .ORG domains servfail.)

Log attached.

Restarting does not help.

Unbound 1.3.0 pristine, Debian/Linux, no forwarder, dlv.isc.org

(attachments)

unbound.log.gz (2.17 KB)

2

Hi Stephane,

For those of you using DLV in your resolvers, ORG should have appeared a
few minutes ago.

It works with BIND+DLV :

% dig +dnssec SOA bondis.org
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
...

Not with Unbound+DLV:

% dig +dnssec SOA automagic.org
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9192

(All the .ORG domains servfail.)

Log attached.

Restarting does not help.

Unbound 1.3.0 pristine, Debian/Linux, no forwarder, dlv.isc.org

Automagic.org has 4 servers. the ns-ext.isc.org is glue, and then it has
three other nameservers. The isc.org server has expired DNSKEY
signatures. The other nameservers work.

(Jelte says after a quick look: the zone was most probably updated, but
they *de*creased the serial number, causing the pickup to go wrong).

Unbound, because it gets the glue for free, tries to get the data from
isc.org. This fails. It becomes servfail.

Now, with default settings, unbound fetches address for the other
servers into the cache and every minute tries a random one. So after
some time it can become valid if you keep trying.

Bind shows different behaviour - it tries all nameservers for the domain
until it gets valid DNSSEC from it. That is why you see no complaints
from BIND.

Because of the design of unbound it would be relatively tricky to scan
all nameservers for valid signatures.

Best regards,
   Wouter

3

a message of 61 lines which said:

Automagic.org has 4 servers.

As I wrote, every other domain in .ORG servfails.

% dig SOA pir.org
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35791

% dig +dnssec +cd SOA pir.org
...
;; ANSWER SECTION:
pir.org. 292 IN SOA ns01.afilias.info. dns.afilias.info. 2009042300 7200 300 604800 300

4

Stephane Bortzmeyer wrote:

(All the .ORG domains servfail.)

Looks like broken slave setups to me.

Signatures at borg.c-l-i.net expired:

bondis.org. 300 IN RRSIG DNSKEY 5 2 300 20090704132711

ns.bondis.org has valid signatures:

bondis.org. 300 IN RRSIG DNSKEY 5 2 300 20090719115346 (

Same for automagic.org, the signatures at ns-ext.isc.org expired in March.

automagic.org. 86400 IN RRSIG DNSKEY 5 2 86400 20090329022858 (

Hauke.

5

Hi Stephane,

6

a message of 61 lines which said:

Automagic.org has 4 servers.

As I wrote, every other domain in .ORG servfails.

Can you try frobbit.org as well?

    Patrik - not close to my dig...

7

frobbit.org has AD for me ...

Best regards,
   Wouter