DNSSEC mismatch between Bind 9.7 and Unbound

Unbound
1

Hello

today we got this one:

Nov 4 15:51:34 mailer unbound: [17795:1] info: validation failure <lipsofsuna.org. A IN>: DS got unsigned CNAME answer from 10.5.0.3 and 10.5.0.3 for DS lipsofsuna.org. while building chain of trust

Unbound (127.0.0.1) point of view:

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29562
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59237
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A

;; ANSWER SECTION:
lipsofsuna.org. 529 IN CNAME vhost.sourceforge.net.
vhost.sourceforge.net. 1214 IN A 216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net. 61634 IN NS ns-1.sourceforge.com.
sourceforge.net. 61634 IN NS ns-1.ch3.sourceforge.com.
sourceforge.net. 61634 IN NS ns-2.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6632
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN DS

;; ANSWER SECTION:
lipsofsuna.org. 504 IN CNAME vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net. 120 IN SOA ns-1.ch3.sourceforge.com. hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600

and Bind 9.7 (10.5.0.3) point of view

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec lipsofsuna.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN A

;; ANSWER SECTION:
lipsofsuna.org. 485 IN CNAME vhost.sourceforge.net.
vhost.sourceforge.net. 2285 IN A 216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net. 61590 IN NS ns-1.sourceforge.com.
sourceforge.net. 61590 IN NS ns-2.ch3.sourceforge.com.
sourceforge.net. 61590 IN NS ns-1.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32497
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org. IN DS

;; ANSWER SECTION:
lipsofsuna.org. 468 IN CNAME vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net. 84 IN SOA ns-1.ch3.sourceforge.com. hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600

Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder. Where is the problem so unbound does not validate it?

Many Thanks

Andreas

2

Hi Andreas,

The trouble is that bind does not respond with the correct response to
the query for the DS. Unbound can do nothing but fail the query.

(Thank you for the validation error line and those dig outputs, that
really helps!).

and Bind 9.7 (10.5.0.3) point of view
; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
;; QUESTION SECTION:
;lipsofsuna.org. IN DS
;; ANSWER SECTION:
lipsofsuna.org. 468 IN CNAME vhost.sourceforge.net.
;; AUTHORITY SECTION:
sourceforge.net. 84 IN SOA ns-1.ch3.sourceforge.com.
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600

Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder.
Where is the problem so unbound does not validate it?

This response should have contained the NSEC3s and their RRSIGs that
came with the referral from .org.

It seems to be an error in Bind 9.7. As a consolation, unbound has the
same error, which I have just fixed in svn (r2335).

Best regards,
   Wouter

3

Zitat von "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

The trouble is that bind does not respond with the correct response to
the query for the DS. Unbound can do nothing but fail the query.

(Thank you for the validation error line and those dig outputs, that
really helps!).

Damn...
That would mean i can't savely operate unbound as downstream cache at least with this version of Bind. If i disable DNSSEC in unbound it will set the cdflag for queries to the forwarder so no DNSSEC will be done at all, no?

Regards

Andreas

4

Isn't the more fundamental problem that someone tried to put a CNAME at
the zone apex of lipsofsuna.org?

Tony.

5

* Tony Finch: