Strange validation results when using .de testbed

Unbound
1

Hi Wouter.

After adding trust-anchors and stub-zone configuration for the .de
DNSSEC testbed, I get strange validation results, where Unbound reports
secured subdomains as insecure.

The parent domain is validated by DLV and reported secure. Disabling the
.de stub zone configuration fixes it.

I use DENIC's configuration example:
http://www.denic.de/fileadmin/Domains/DNSSEC/dnssec-testbed-muster-unbound.txt

Queries and AD flags:

home.dyndns.hauke-lampe.de. A -> insecure
dyndns.hauke-lampe.de. SOA -> insecure
hauke-lampe.de. SOA -> secure
dyndns.hauke-lampe.de. DS -> answer contains NSEC3 records from .de TLD

Full unbound-host debug log is here:
https://www.hauke-lampe.de/temp/unbound-host.log

I get the same results from DNS-OARC's resolvers
(https://www.dns-oarc.net/oarc/services/odvr):

dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.21 # Unbound

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
[...]
;; AUTHORITY SECTION:
3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN NSEC3 1 1 31 DE15C001 3K846UFP2SLUUNEP0UF07IVM5BPUMPL4 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. eEDMwH1c4elJ4csdfOZ4GhAO8bkkYSp6EtMUDIflOjgJokILvywCzElD CoiTi2UG+oEalXQCEQHy/qQFkEagf9rPzxdRIOCmhTcW+1x0pyzZ9Zzx lZ+n+YqPmS4+4F/VtI0wWAjW5R1edzyG7+2voFH6pG8zL970/cQHWBUG dyY=
RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN NSEC3 1 1 31 DE15C001 RHES27TM53S8ER72SCDPTNNP0GCMOBO6 A RRSIG
RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN RRSIG NSEC3 8 2 7200 20101017120000 20101010120000 56760 de. RlTGZTuUujNcTv84YJ4o/QRx7+YpS8WdtehL7GUhItgKHidZSYIppUig 9TzWORfzw4BI5/MM5ZtiCCk/VL7P7K9mNiYiHfOxWvqVdBKNyI54BYFn s7PFbzR4ccdQAsj477arR6CtKmT7+jVEZy7xlIjFi6td1AugQY+jvJsl jH0=
de. 5819 IN SOA f.nic.de. its.denic.de. 2010101061 7200 7200 3600000 7200
de. 5819 IN RRSIG SOA 8 1 86400 20101017120000 20101010120000 56760 de. la/O+y6AySh+rWNidx8ORLLylODcSp4gPMhcAp9sdHeWFNuK2XNDV8qH VYKbUPxbQqFH68xcgGqCktyCKB2cxpe6kd1gUY7AySjAa9FTeejP9atO AJ+Y39KaVxOsjPJ2P9LY9qHKeudWHRMRzi3hZWs++APUSpypy5gn3rM+ 6qo=

dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.20 # BIND

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

[...]

;; ANSWER SECTION:
dyndns.hauke-lampe.de. 229612 IN DS 38679 10 1 363FC90815032BB941808CD73C1D21AB3F3D6D3E
dyndns.hauke-lampe.de. 229612 IN DS 38679 10 2 B06ABE78F499F24CE9AC64BEFE6D9A3F2B101168867DF8B849F0800F 59F2CDF4
dyndns.hauke-lampe.de. 229612 IN RRSIG DS 5 3 230042 20101021092305 20101007092305 20073 hauke-lampe.de. AQGIjBFH3xaXkUTGYo9yUHbva8GGWhasyQOv50CVNuzFJUOQrL05vtyH C2W7e7eSUFkvOm7dqaIkkBsV/+WFJAUXPcNqT9mJGpTiXuSLXRJmv8k2 h4dnv4FT82YMP+kvNoF0QRRb7xp5trHsUvPX0uhzfbL8sCJwz31csDfq RT2E
dyndns.hauke-lampe.de. 229612 IN RRSIG DS 5 3 230042 20101021092305 20101007092305 26427 hauke-lampe.de. ARqKo559ueoZT80eRvjauYL95mGjsc+WsJL/MLZxuHDG3jPFEjYrctac fhcKu/xVKhzT3mnxFgtBoHwcw45NIyXjfVn54FQk2mdFcJ/VW/n+xbVB Uyb+X078GeirOPDq1QFeFezADaBlgJDeg7v+wmyg0Vrmt6uFJ8kcpGxG 8TLB

Hauke.

2

Works fine for my unbound (1.4.5rc1) with testbed config:

$ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16054
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dyndns.hauke-lampe.de. IN DS

;; ANSWER SECTION:
dyndns.hauke-lampe.de. 230042 IN DS 38679 10 1 363FC90815032BB941808CD73C1D21AB3F3D6D3E
dyndns.hauke-lampe.de. 230042 IN DS 38679 10 2 B06ABE78F499F24CE9AC64BEFE6D9A3F2B101168867DF8B849F0800F 59F2CDF4
dyndns.hauke-lampe.de. 230042 IN RRSIG DS 5 3 230042 20101024234142 20101010234142 20073 hauke-lampe.de. ASD3K4SXxdKx8sWO+XkZWR/aJR+HVVq1KBBwymSaKKSi3C84/5z3Ujlf jMLKvlYfpTQPkmNwPhvxi40FNbFVN1ziCYXQ4+jbXsA+OkX9k+a1fcVR BL6G76DVQfnKLNOBeW74TyIT3xUdQuLnSRclQ04XNM+MMI93Y6OnoA/w gyBK
dyndns.hauke-lampe.de. 230042 IN RRSIG DS 5 3 230042 20101024234142 20101010234142 26427 hauke-lampe.de. ANwGhpCDlZ+wozXmf/hBD7Bj44U/YXB+v2CZ9ytkV3IbVNmIN5qahKJZ YyyN2be+OHkYPnjH1iBx/cTVlRsOvos4mjdfAOaSFNsK618F9H5gKjWg rxr65fKGlFmeA1Jc+KcybZWnlke4uMyn/I5nAe3KyfQ4K0LIqABWNb3Q E5Uw

;; Query time: 189 msec
;; SERVER: 193.110.157.136#53(193.110.157.136)
;; WHEN: Mon Oct 11 01:24:34 2010
;; MSG SIZE rcvd: 484

Paul

3

Works fine for my unbound (1.4.5rc1) with testbed config:

$ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com

That is odd. Right now, it works on my resolver and DNS-OARC's, too.

I still can reproduce it with unbound-host, though:

# unbound-host -C unbound-testbed.conf -t a -v home.dyndns.hauke-lampe.de
home.dyndns.hauke-lampe.de has address 213.39.216.235 (insecure)
# unbound-host -C unbound-notestbed.conf -t a -v

home.dyndns.hauke-lampe.de

home.dyndns.hauke-lampe.de has address 213.39.216.235 (secure)

Here's my sample config:
https://www.hauke-lampe.de/temp/unbound-host-config.tgz

In the testbed case, unbound does not even query for the subdomain DS:

info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
info: DS RRset <hauke-lampe.de. DS IN>

Shouldn't that say dyndns.hauke-lampe.de above?

debug: Process cached DS response
debug: nsec3: keysize 1032 bits, max iterations 500
info: ce candidate <de. TYPE0 CLASS0>
info: NSEC3s for the referral proved no DS.
debug: val handle processing q with state VAL_VALIDATE_STATE
info: Verified that response is INSECURE

Unbound seems to use the NSEC3s from .de to decide that there's no DS
for dyndns.hauke-lampe.de. If I just remove the DNSKEY for .de, Unbound
tries to validate them and then goes ahead and fetches the DS record:

info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
info: DS RRset <hauke-lampe.de. DS IN>
debug: Process cached DS response
info: verify rrset <3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. NSEC3 IN>
debug: verify sig 56760 8
debug: verify: could not find appropriate key
debug: rrset failed to verify: no valid signatures for 1 algorithms
debug: verify result: sec_status_bogus
debug: NSEC3 did not verify
info: NSEC3s for the referral did not prove no DS.
debug: blacklist add: cache
debug: val handle processing q with state VAL_FINDKEY_STATE
info: validator: FindKey <home.dyndns.hauke-lampe.de. A IN>
info: current keyname <hauke-lampe.de. DNSKEY IN>
info: target keyname <dyndns.hauke-lampe.de. DNSKEY IN>
debug: striplab 0
info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN>
info: DS RRset <hauke-lampe.de. DS IN>
info: generate request <dyndns.hauke-lampe.de. DS IN>

Hauke.

4

Hi Hauke,

This is a bug in unbound. Fixed in svn trunk r2275.

It is caused not by the testbed setup for .de, but by a parent zone that
uses NSEC3-optout, then a DLV entry below it, which itself has a secure
delegation hosted on the same server. And an oversight in the unbound
code, where the case of an island below optout nsec3 picked the nsec3
'insecure' instead of the lower island trust chain.

Best regards,
   Wouter

5

Thank you for the quick response, Wouter.
I installed the new version and it works now.

Hauke.