Hello,
If this is a double post, I'm sorry. I just have no way of checking if
this request arrived at the list (I didn't get a copy, that much I
know). Maybe if someone could at least confirm that it arrived?
Here the original text:
Lately I started implementing dnssec, which starts to work now.
However, it seems the overriding and the securing sometimes bite...
I have a zone mydom.de, resolved by nsd3 (with dnssec), on localhost
port 58. Unbound is configured to use that:
server:
private-domain: mydom.de
trust-anchor-file: /etc/unbound/mydom.de.anchor
stub-zone:
name: mydom.de
stub-addr: 127.0.0.1@58
That works as expected:
# dig +nocomments +nostats +nocmd dnstest.mydom.de @localhost +dnssec
;dnstest.mydom.de. IN A
dnstest.mydom.de. 259200 IN A 10.10.99.99
dnstest.mydom.de. 259200 IN RRSIG A 8 3 259200
20150814014637 20150807095151 30514 mydom.de.
QwIlVNcRCVmdoNagH1/oY3DWVIJ+IMYILIz+ceEf93LPd4Ba81Gq73b4
31X6A33ZGxJLPIpIwP/W/AiRFmxgDrVgBeOAqHk70/7MrtttS71XFPmJ
eJcd/v4XWUCLAJJ3QckFQpXoKror4updVO04pY9py1f5iI6GhRry0ANO 9Z4=
...
But I also need to have one host of that domain resolved by an external
nameserver (not under my control). So I used:
forward-zone:
name: 'www.mydom.de'
forward-addr: 9.9.90.9
Which worked nicely, before I used dnssec.
But now:
# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
;www.mydom.de. IN A
I get resolution if I use cdflag:
# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
+cdflag
;www.mydom.de. IN A
www.mydom.de. 83904 IN A 9.9.90.9
If I use some other host (windows here) or a simple lookup without
dnssec, I get a SRVFAIL resp. NXDOMAIN:
C:\>nslookup www.mydom.de 10.10.10.6
Server: illgner.mydom.de
Address: 10.10.10.6
*** illgner.mydom.de can't find www.mydom.de: Server failed
# nslookup www.mydom.de localhost ;; Got
SERVFAIL reply from 127.0.0.1, trying next server
Server: localhost
Address: 127.0.0.1#53
** server can't find www.mydom.de: NXDOMAIN
Now I do get that unbound is unable to deliver a correctly signed record
for www.mydom.de, but what I don't understand is, why doesn't unbound
deliver an unsigned / unsecured record from a forward-zone on an
ordinary request?
It does work like that if I use local-data instead of forward-zone:
local-data: 'www.mydom.de IN A 9.9.90.9'
# dig +nocomments +nostats +nocmd www.mydom.de @localhost +dnssec
;www.mydom.de. IN A
www.mydom.de. 3600 IN A 9.9.90.9
(same for nslookup like above.)
So in general, unbound is able to deliver insecure records of secure
zones using local-data, but not with forward-zones.
I also tried to do something like
domain-insecure: www.mydom.de
, but that was flagged as a syntax error in the configuration file.
Is it possible to get insecure records from forward-zones delivered,
just like with local-data?
Thanks for any insights in advance, jo
PS: Some maybe helpful unbound-host output:
Using forward-zone:
# unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v
www.mydom.de. has address 9.9.90.9 (BOGUS (security failure))
validation failure <www.mydom.de. A IN>: covering NSEC3 was not opt-out
in an opt-out DS NOERROR/NODATA case from 127.0.0.1 for DS www.mydom.de.
while building chain of trust
...
With local-data entry:
# unbound-host -C /etc/unbound/unbound.conf www.mydom.de. -v
www.dexia.de. has address 9.9.90.9 (insecure)
www.dexia.de. has no IPv6 address (insecure)
www.dexia.de. has no mail handler record (insecure)