Persistent validation failure on several sites

Wendi_Chen · November 29, 2013, 5:24pm

HI All,

We consistently receive the following unbound logs:

131127 17:48:33 unbound: [5694:0] info: validation failure  d.t10000.u6860931751.s1385574322.i1009.v6022.503b8.z.dotnxdomain.net. A IN
131127 17:51:28 unbound: [5694:0] info: validation failure ns2.sirius-soft.at. A IN
131127 17:51:28 unbound: [5694:0] info: validation failure ns1.sirius-soft.at. A IN
131127 17:51:28 unbound: [5694:0] info: validation failure ns3.sirius-soft.at. A IN
131127 17:51:45 unbound: [5694:1] info: validation failure ns2.sirius-soft.at. A IN
131127 17:52:02 unbound: [5694:1] info: validation failure ns3.sirius-soft.at. A IN
131127 17:52:35 unbound: [689:0] info: validation failure rellim.com. A IN
131127 17:52:36 unbound: [21479:0] info: validation failure rellim.com. A IN
131127 17:52:46 unbound: [5694:0] info: validation failure rellim.com. A IN
131127 17:52:46 unbound: [5694:0] info: validation failure rellim.com. NS IN
131127 17:52:46 unbound: [5694:0] info: validation failure ns1.rellim.com. A IN
131127 17:52:46 unbound: [689:1] info: validation failure rellim.com. A IN
131127 17:52:48 unbound: [21479:1] info: validation failure rellim.com. A IN
131127 17:52:48 unbound: [21479:1] info: validation failure rellim.com. NS IN
131127 17:52:48 unbound: [21479:1] info: validation failure ns2.rellim.com. AAAA IN
131127 17:52:48 unbound: [21479:1] info: validation failure ns1.rellim.com. A IN

Is it a bug in unbound or a problem with the DNS configuration of those sites?

I ran dig commands on those sites and found all of them returned no answers.

For example,
wendi: dig rellim.com

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>> rellim.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rellim.com. IN A

;; Query time: 840 msec
;; SERVER: 192.168.58.1#53(192.168.58.1)
;; WHEN: Fri Nov 29 12:20:38 EST 2013
;; MSG SIZE rcvd: 39

Thank you if you can give me some advices.

Best,
Wendi

Wouter · December 2, 2013, 8:34am

Hi Wenci,

I receive answers for them. Your dig contacted unbound itself. You
should set dig +cdflag so you can see the dnssec invalid answers that
unbound has, or set dig to probe the other servers.

sirius-soft.at seems to have retracted its DS record and is now
insecure - I guess something was wrong for them.

rellim.com has faulty algorithm rollover - they publish DS records
algorithms 5 and 7, and have DNSKEYs 7 and 8. There are no keys of
type 5... This breaks resolution for unbound. Other software has a
more lenient view on algorithm rollover and keys. And it goes back to
a debate about whether one key is enough or if you want to check all
available algorithms; it advertises algorithm 5 and thus it must
provide a chain of trust for algorithm 5.

Best regards,
Wouter

Wendi_Chen · December 9, 2013, 1:21pm

Hi Wouter,

Thank you for your investigation and explanation. I tried dig +cdflag and it get answers very well. Later, we experienced such kinds of transient problems when using dig only. Since it is not unbound bug, we will ignore them.

Best,
Wendi