I debugged an issue for quite some time, when I wasn't
able to set up DNSSEC (island of security) with unbound
and NSD for any reverse (in-addr.arpa) zone, but it all
worked just fine for any forward zone.
unbound refused to validate any record from zones in
question, giving the following messages:
info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN
info: super is 168.192.in-addr.arpa. SOA IN
debug: attempt DS match algo 7 keytag 24900
debug: DS match digest ok, trying signature
debug: verify: signature mismatch
debug: rrset failed to verify: all signatures are bogus
debug: Failed to match any usable anchor to a DNSKEY.
info: validate keys with anchor(DS): sec_status_bogus
info: failed to prime trust anchor -- DNSKEY rrset is not secure 168.192.in-addr.arpa. DNSKEY IN
I asked in #unbound on freenode, but noticed that IN-ADDR.ARPA
in the $ORIGIN line is written in UPPER-case, while all the rest
uses lowercase.
So I tried lowercasing it, and voila, everything worked.
I'm using command-line ldns tools to perform the signing, --
ldns-keygen, ldns-signzone etc.
So if any of you happen to do the same (sort-of-insane)
thing, please use lowercase chars in zone origins, or
else the resulting signed zone will not validate.
Using unbound-1.4.12, nsd 3.2.5, and ldnsutils 1.6.10.
Posted to both unbound and nsd since I'm subscribed to both
and don't know if there's special ldns mailinglist for this,
and since the problem will be seen as failure to verify zone,
so will appear like unbound-related.
I debugged an issue for quite some time, when I wasn't
able to set up DNSSEC (island of security) with unbound
and NSD for any reverse (in-addr.arpa) zone, but it all
worked just fine for any forward zone.
unbound refused to validate any record from zones in
question, giving the following messages:
info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN
info: super is 168.192.in-addr.arpa. SOA IN
debug: attempt DS match algo 7 keytag 24900
debug: DS match digest ok, trying signature
debug: verify: signature mismatch
debug: rrset failed to verify: all signatures are bogus
debug: Failed to match any usable anchor to a DNSKEY.
info: validate keys with anchor(DS): sec_status_bogus
info: failed to prime trust anchor -- DNSKEY rrset is not secure 168.192.in-addr.arpa. DNSKEY IN
I asked in Unbound on freenode, but noticed that IN-ADDR.ARPA
in the $ORIGIN line is written in UPPER-case, while all the rest
uses lowercase.
So I tried lowercasing it, and voila, everything worked.
Do you run unbound with use-caps-for-id: yes ? Some name servers don't handle that properly.
I'm using command-line ldns tools to perform the signing, --
ldns-keygen, ldns-signzone etc.
There is an ldns mailing list at ldns-users@open.nlnetlabs.nl
