Issue with unbound 1.4.6rc1 maintainers prerelease?

Unbound
1

Unbound 1.4.6rc1 is prereleased:
http://unbound.net/downloads/unbound-1.4.6rc1.tar.gz
sha1 c1434f44d5c7dd456cc5d8195d1de23429ac19b9
sha256 77377a429a2bafda276d921de24601114efa22809b2fa149e258f8f0c35a4d38

Mostly bugfixes, with this release prompted by the RFC for GOST. GOST
is enabled if the SSL and ldns support it. Otherwise, unbound acts as
if GOST is not supported (it becomes insecure).

I did a compile test. I have openssl with gost, ldns 1.5.6rc1 with gost,
and unbound with gost compiled and installed.

I had no trust anchors yet:

[root@bofh devel]# grep trust-anchor /etc/unbound/unbound.conf |grep -v "#"
[root@bofh devel]#

I am confused about this query:

[root@bofh devel]# dig +dnssec -t ns gost.cert.ru. @localhost
; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec -t ns gost.cert.ru. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11021
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gost.cert.ru. IN NS

;; AUTHORITY SECTION:
cert.ru. 3242 IN SOA ns.cert.ru. postmaster.cert.ru. 1279506600 10800 3600 604800 3600
cert.ru. 3242 IN RRSIG SOA 5 2 3600 20100722023000 20100719013000 39201 cert.ru. BkEGeTqFrqOKR03Zh2ox/73Fvtb7slZUGSYauDRXCfuGrJGBBekPaVZC wz79JHaj5C0F5BOl/P2tM2nRPD4szfy7Dl65Ecnv8wLdKOx9LO0+w97H nXMWT5N1O4GsTypCi81ilGixrVfcOf+Dnz+Hnllr35a8z4dtAYVmlgX6 /iw=
cert.ru. 3242 IN RRSIG SOA 12 2 3600 20100722023000 20100719013000 18367 cert.ru. 7opJj1wkw4+Vub6bImpqx+ijkVv9G3Oh1ynRLjk+hATUoX/7SaxfaWIb 4ocpfOZjX6fXlnzviCphbcSbT0bj7A==
cert.ru. 3242 IN NSEC cobin.cert.ru. A NS SOA MX TXT RRSIG NSEC DNSKEY
cert.ru. 3242 IN RRSIG NSEC 5 2 3600 20100722023000 20100719013000 39201 cert.ru. UIcidDcm89nvSlfjnSa364r/RXkeNoipCKs5Jkik6KPSs1iSBlBkB7QG MkevzOCR4jFm8NQ0ip/Ry3bKcEDxfBWBRJ0Q4PKDmX4M2aIaM9SUW3mo yyqZqzM4apva6+azzGf3WT6pbj0PQcsYaoQI9kX3DxqmgT4rJ8locBGm KEI=
cert.ru. 3242 IN RRSIG NSEC 12 2 3600 20100722023000 20100719013000 18367 cert.ru. bHxEa6OY2S0GS18t7QmvJ8QPQBEZ81QS0NcBWLGgA8TDr3mrX2o18RDI FCwrJ3w9qlV4yhh/tlSwMN0I9winQg==
dlv.cert.ru. 3242 IN NSEC imap.cert.ru. NS DS RRSIG NSEC
dlv.cert.ru. 3242 IN RRSIG NSEC 5 3 3600 20100722023000 20100719013000 39201 cert.ru. cFkL+pVMB8PsV4NOkW/FYuI09yaox1H1yPvNRncwBemhMFWvU9dY80Wd dITEGPzYfMRgRt2pmfBZ2uu2GOHY0BzbtqkgwG4UOyyRqhbqQdS2Opot 9uM/WIIPCRTBNekwEcUY+sGh3+yYhs7cCb83nZ83YIIXFiaC2R7n52NT 1kE=
dlv.cert.ru. 3242 IN RRSIG NSEC 12 3 3600 20100722023000 20100719013000 18367 cert.ru. 2AJGKi8MacFuAo0n7EWwexn7Pc6rCN877+QMs76a8iDq+9VZPPoec8Js zn0TI9ta61ISt0A8UDjndK7cswpleA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 19 12:04:54 2010
;; MSG SIZE rcvd: 975

This shows the AD bit, and I am unsure why. There is no DS record, nor a DLV record
for gost.cert.ru. And I did not configure a trust anchor for it yet.

I've attached unbound.log with verbosity:4

Paul

(attachments)

unbound.log.gz (449 KB)

2

Hi Paul,

Because you have DLV enabled and there is a DLV for cert.ru.

Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: signer is <dlv.isc.org.
TYPE0 CLASS0>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: FindKey
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset <dlv.isc.org.
NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validate(positive):
sec_status_secure
Jul 19 12:08:30 bofh unbound: [3519:1] info: validation success
<cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns2.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super,
sub is <cert.ru.dlv.isc.org. DLV IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <gost.cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<ns2.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<ns.cert.ru. A IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<gost.cert.ru. NS IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru.
DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query
<cert.ru. DNSKEY IN>
Jul 19 12:08:30 bofh unbound: [3519:1] info: resolving <cert.ru. DNSKEY IN>

Best regards,
   Wouter

3

duh. I missed that because I tried:

dig -t ds gost.cert.ru @193.110.157.136

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> -t ds gost.cert.ru @193.110.157.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51186
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

and did not get a DS record. I didn't realise there was no subdelegation for
gost.cert.ru.

Thanks for the clarification. I guess gost validation worked properly then :slight_smile:

Paul