NXDOMAN vs SERVFAIL?

PaulWouters · March 8, 2011, 11:20pm

I am getting an NXDOMAIN from unbound 1.4.8 on compro.net.

  39.580: compro.net INFO Begin testing DNSSEC for compro.net.
  39.861: compro.net INFO Found DS record for compro.net at parent.
  44.869: compro.net NOTICE DNS lookup error (connection failed).
  45.358: compro.net INFO Servers for compro.net have consistent extra processing status.
  45.358: compro.net INFO Did not find DNSKEY record for compro.net at child.
  45.358: compro.net ERROR Inconsistent security for compro.net - DS found at parent, but no DNSKEY found at child.
  45.358: compro.net INFO Done testing DNSSEC for compro.net.
  45.358: compro.net INFO Test completed for zone compro.net.

bind 9.8.0 is giving a ServFail as I expected.

The DS record looks like:

compro.net. 86332 IN DS 2211 3 1 1234567890123456789012345678901234567890

I could not get the DS from unbound either......

Note the hash is obviously fake.

unbound-host takes over 30secs to respond, as does unbound as deamon:

-bash-3.2# unbound-host -v compro.net. -C /etc/unbound/unbound.conf
Mar 08 18:07:08 libunbound[31511:0] notice: init module 0: validator
Mar 08 18:07:08 libunbound[31511:0] notice: init module 1: iterator
compro.net. has address 173.201.14.242 (BOGUS (security failure))
validation failure <compro.net. A IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust
compro.net. has no IPv6 address (BOGUS (security failure))
validation failure <compro.net. AAAA IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust

compro.net. mail is handled by 10 mx2.compro.net. (BOGUS (security failure))
validation failure <compro.net. MX IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust

After a little while, or due to me querying and caching something, unbound
started giving me servfails. Though when querying with the +cd I still got
no data:

[paul@bofh ~]$ dig +dnssec +cd compro.net @193.110.157.136

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec +cd compro.net @193.110.157.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60322
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;compro.net. IN A

;; Query time: 109 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Tue Mar 8 18:12:13 2011
;; MSG SIZE rcvd: 39

Paul

Wouter · March 9, 2011, 7:16am

Hi,

I do not understand where the NXDOMAIN part happens in this story.

If I look at compro.net, it gives me the failure that you describe.

What happens is that 3 of its 4 servers are DNSSEC_LAME (not with a
signed zone). The last server gives timeouts. Unbound tries to contact
that server for several seconds (because it is the only option for
signatures), and when it gives up, you get servfail.

Best regards,
Wouter

Stephane_Bortzmeyer · March 9, 2011, 10:50am

a message of 64 lines which said:

Note the hash is obviously fake.

Reading their Web site is even more funny in that case:

COMPRO's Simulation Solutions Group has the technical expertise and
experience in providing effective and efficient equipment, services, solutions, and support for all your training needs.
...
World-class commercial and military software and hardware simulation solutions: