do.havedane.net nsec3 issue (sec_status_insecure) unbound 1.9.1

Unbound
1

Hello,

I have an issue with unbound 1.9.1.

I am trying to get tlsa records from domain _25._tcp.do.havedane.net
but this fails with unbound. DNNSEC validation tools report no issues
with that domain though.

query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec
which yields NXDOMAIN and no tlsa records, but with Google Public DNS
$ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec
I do get tlsa records with ad flag

Excerpt from unbound log:

Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info: validator
operate: query _25._tcp.do.havedane.net. TLSA IN
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] debug: NameError
response failed nsec, nsec3 proof was sec_status_insecure
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info:
validate(nxdomain): sec_status_insecure

But Google Public DNS and DNSSEC validation tools[1] have/report no
issues though.

[1] https://dnssec-analyzer.verisignlabs.com/do.havedane.net and
http://dnsviz.net/d/do.havedane.net/dnssec/

I have this issue with unbound 1.9.1 from Arch repo.

With unbound 1.9.0 from Debian testing repo it works just fine
(sec_status_secure).

So is this a bug with unbound 1.9.1 or do the others not validate properly?

Regards Stefan

2

Google DNS don't use qname minimization.

the nameserver for havedane.net return NXDOMAIN when I ask for _tcp.do.havedane.net.
Then there can't be a _25._tcp.do.havedane.net.

Only if you disable qname minimisation unbound will ask havedane.net's nameserver
for "_25._tcp.do" (dotted hostname) and get an answer.

the nameserver for havedane.net should get fixed:

http://dnsviz.net/d/_25._tcp.do.havedane.net/dnssec/

Andreas

3

Google DNS don't use qname minimization.
Only if you disable qname minimisation unbound will ask havedane.net's nameserver for "_25._tcp.do" (dotted hostname) and get an answer.

That would imply that unbounds (1.9.0) implementation of qname
minimisation is broken since debians unbound default config has qname
minimisation activated.

Regards Stefan

4

I also tested with "qname-minimisation-strict: no" (unbound 1.9.1) and
I still get sec_status_insecure.
With "qname-minimisation: no" I get the tlsa records.

Regards, Stefan

5

Stefan Kublinski via Unbound-users:

Hello,

I have an issue with unbound 1.9.1.

I am trying to get tlsa records from domain _25._tcp.do.havedane.net
but this fails with unbound. DNNSEC validation tools report no issues
with that domain though.

just found, the domain "puz.de" have a similar problem...

Andreas