Possible unbound bug with wild card results

Erinn_Looney-Triggs · March 20, 2013, 8:55pm

There is a bugzilla open about a similar
issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my
reading it looks like it went off in another direction.

The issue I am running into comes in when resolving fedorapeople.org
domains which are DLV signed. Specifically fkooman.fedorapeople.org but
any other *.fedorapeople.org domains seem to fail, and only with unbound
in my testing thus far. Straight bind will return the result.

When attempting to resolve I get this in the logs:

unbound: [1005:1] info: validation failure fkooman.fedorapeople.org. A IN

Running directly against bind we get the result as expected:
dig fkooman.fedorapeople.org +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>>
fkooman.fedorapeople.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fkooman.fedorapeople.org. IN A

;; ANSWER SECTION:
fkooman.fedorapeople.org. 56 IN A 152.19.134.191
fkooman.fedorapeople.org. 56 IN RRSIG A 5 2 60 20130418182632
20130319182632 378 fedorapeople.org.
7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
+ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=

;; AUTHORITY SECTION:
*.fedorapeople.org. 56 IN NSEC fedorapeople.org. A AAAA
RRSIG NSEC
*.fedorapeople.org. 56 IN RRSIG NSEC 5 2 86400
20130418182632 20130319182632 378 fedorapeople.org.
8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=

You can get a nice break down of the signing here:
http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/

My guess is that it has to do with the *.fedorapeople.org record, but I
am no expert, or perhaps DLV plays into it? There aren't a great deal of
sites that I know of to compare this to.

Can anyone else confirm or deny this issue with their unbound?

Thanks,
-Erinn

PaulWouters · March 21, 2013, 12:39am

There is a bugzilla open about a similar
issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my
reading it looks like it went off in another direction.

The issue I am running into comes in when resolving fedorapeople.org
domains which are DLV signed. Specifically fkooman.fedorapeople.org but
any other *.fedorapeople.org domains seem to fail, and only with unbound
in my testing thus far. Straight bind will return the result.

It works for me using unbound:

paul@bofh:~$ dig +dnssec fkooman.fedorapeople.org

; <<>> DiG 9.9.2-rl.028.23-P1-RedHat-9.9.2-8.P1.fc18 <<>> +dnssec
fkooman.fedorapeople.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65193
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fkooman.fedorapeople.org. IN A

;; ANSWER SECTION:
fkooman.fedorapeople.org. 60 IN A 152.19.134.191
fkooman.fedorapeople.org. 60 IN RRSIG A 5 2 60 20130418182632
20130319182632 378 fedorapeople.org.
7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ
k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp
+ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=

;; AUTHORITY SECTION:
*.fedorapeople.org. 86312 IN NSEC fedorapeople.org. A AAAA
RRSIG NSEC
*.fedorapeople.org. 86312 IN RRSIG NSEC 5 2 86400
20130418182632 20130319182632 378 fedorapeople.org.
8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH
72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp
MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=

;; Query time: 127 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 20 20:38:16 2013
;; MSG SIZE rcvd: 461

My guess is that it has to do with the *.fedorapeople.org record, but I
am no expert, or perhaps DLV plays into it? There aren't a great deal of
sites that I know of to compare this to.

Can anyone else confirm or deny this issue with their unbound?

The issue, as the bug described it, is that _if_ unbound is configured
to use a bind server as forwarder, that bind needs to have RT#21409
fixed for it to work properly.

Paul

Erinn_Looney-Triggs · March 21, 2013, 1:42am

Paul,
Thanks for taking a look I appreciate your time. It looks like the
problem is a combination of unbound, dnssec-trigger, and bind.

My lack of understanding of dnssec-trigger also played a large part. So
it looks like dnssec-trigger sets . to forward to the upstream DNS
resolver if DHCP dns addresses are available for use.

So in my case it looks like my ISP is running bind and this in turn
creates the issue for me.

After running unbound-control forward_remove . I was able to resolve the
address as I should.

Thanks again for checking and for updating the bug,

-Erinn

Wouter · March 21, 2013, 9:20am

Hi Erinn,

There is a bugzilla open about a similar
issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from
my reading it looks like it went off in another direction.

The issue I am running into comes in when resolving
fedorapeople.org domains which are DLV signed. Specifically
fkooman.fedorapeople.org but any other *.fedorapeople.org domains
seem to fail, and only with unbound in my testing thus far.
Straight bind will return the result.

When attempting to resolve I get this in the logs:

unbound: [1005:1] info: validation failure
fkooman.fedorapeople.org. A IN

Can you tell me why it failed? Set val-log-level: 2
or run unbound-host to do the lookup.

When I perform this lookup, it works fine, and uses the isc.org DLV.
This is with latest unbound version.

Best regards,
Wouter

Wouter · March 21, 2013, 9:25am

Hi,