Is it just me?

mdavids · March 18, 2011, 6:22pm

Hi,

I use Unbound 1.4.8 and get this:

Mar 18 19:07:41 xs unbound: [17639:0] info: validation failure
<www.iana.org. A IN>: No DNSKEY record for key vip.icann.org. while
building chain of trust
Mar 18 19:07:41 xs unbound: [17639:0] info: validation failure
<www.iana.org. AAAA IN>: No DNSKEY record for key vip.icann.org. while
building chain of trust

Anyone a clue?

(Weird setup btw in the IANA DNS: ianawww.vip.icann.org has a TTL of
only 30 seconds, but hey, that's another story)

mdavids · March 18, 2011, 7:23pm

Op 18-03-11 19:22, Marco Davids (SIDN) schreef:

I use Unbound 1.4.8 and get this:

Mar 18 19:07:41 xs unbound: [17639:0] info: validation failure
<www.iana.org. A IN>: No DNSKEY record for key vip.icann.org. while
building chain of trust

Mmm... seems 0x20 related...

dig +dnssec ianawww.vip.icann.ORG @gtm1.lax.icann.org.

no RRSIGs!

dig +dnssec ianawww.vip.icann.ORG @gtm1.lax.icann.org.

(all lowercase)

does return an RRSIG.

jan · March 18, 2011, 7:46pm

It gets better:

Any uppercase in ianawww is ok and returns an RRSIG.

Any uppercase in vip.icann.org is not and does NOT return an RRSIG.

Both cases return an A record.

Jan.

mdavids · March 18, 2011, 7:51pm

Op 18-03-11 20:46, Jan Komissar (jkomissa) schreef:

It gets better:

Any uppercase in ianawww is ok and returns an RRSIG.
Any uppercase in vip.icann.org is not and does NOT return an RRSIG.
Both cases return an A record.

I have made the ICANN IT department aware of this issue.

Not Unbound related, so case closed here.

Sorry for bothering.

Olaf_Kolkman · March 18, 2011, 8:11pm

What is the issue exactly?

--Olaf

mdavids · March 18, 2011, 8:48pm

Olaf,

I have made the ICANN IT department aware of this issue.

Not Unbound related, so case closed here.

What is the issue exactly?

I had some problems resolving www.iana.org for a while, until I decided
to take a closer look into this.

I use Unbound (what else with 0x20 enabled (for fun, basically).

To make a long story short:

- www.iana.org has CNAME ianawww.vip.icann.org.
- vip.icann.org. has three nameservers
- they don't return an RRSIG if there are uppercases in the qname, just
the A record:

dig +dnssec ianawww.VIP.icann.org. @gtm1.dc.icann.org.

ICANN IT department is looking into this, together with their
loadbalancer vendor.

The 0x20 option is just for fun, I don't care much about it. Much more
important to me is that ICANN should set an example in running
RFC-compliant name servers.

Regards,