Unbound 1.6.4/1.6.5: Unexpected AD=0 for signed NODATA at zone apex?

Viktor_Dukhovni · August 24, 2017, 2:42pm

I had unbound 1.6.4 listening on the loopback interface with
validation enabled. Unexpectedly, for a DNSSEC signed zone
with no MX records, the NODATA response from unbound has AD=0:

$ dig +nosplit +dnssec +ad -t mx pat.dedyn.io @127.0.0.1

; <<>> DiG 9.11.1-P3 <<>> +nosplit +dnssec +ad -t mx pat.dedyn.io @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 8192
;; QUESTION SECTION:
;pat.dedyn.io. IN MX

;; AUTHORITY SECTION:
pat.dedyn.io. 60 IN SOA ns1.desec.io. hostmaster.desec.io. 2017084887 10800 3600 604800 60
pat.dedyn.io. 60 IN RRSIG SOA 8 3 60 20170907000000 20170817000000 16713 pat.dedyn.io. ICHfyC1jcmI7hk/qcvs1mHU+DXgiAHp56tHZ0DrBIlg8Qrzj9MI8stHcWT6J7mf4e+3PMN+p34RvFokGAMqeHQ2qN4QSe1yX+Evj5RCI6Gx125ae/S0xCSnUuz4tfcmuorn+Ljk//2a8j2q+w6awrCqdoAMaVAdIMmHmmuHKhpQ=
3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. 60 IN NSEC3 1 0 300 D7E2042737B912B9 4O4UISQPPPTC260I5BQ6R816IC02HFI5 A NS SOA RRSIG DNSKEY NSEC3PARAM
3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. 60 IN RRSIG NSEC3 8 4 60 20170907000000 20170817000000 16713 pat.dedyn.io. ZkcJecwn698jOHCFN+Fn6Z3qGTZuIzVo0W25cLG6NB0DCnMdVhmD2FpWvaIT8OVWIyMSxdbC99T4pvSkdZakZWRfeJNeomwrWvbYGkGNgo/3uoQRfvm5WgTHjmoYP9QopEKpra5L2Dm8l4fQagp+BBos48QNlKeABqTkiufLEts=

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 24 10:26:18 EDT 2017
;; MSG SIZE rcvd: 530

Both DNSViz and Google's public resolvers report the NODATA as secure (AD=1):

http://dnsviz.net/d/pat.dedyn.io/dnssec/?rr=15&a=all&ds=all&doe=on&ta=.&tk=

$ dig +nosplit +dnssec +ad -t mx pat.dedyn.io @8.8.4.4

; <<>> DiG 9.11.1-P3 <<>> +nosplit +dnssec +ad -t mx pat.dedyn.io @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5148
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pat.dedyn.io. IN MX

;; AUTHORITY SECTION:
pat.dedyn.io. 59 IN SOA ns1.desec.io. hostmaster.desec.io. 2017084887 10800 3600 604800 60
pat.dedyn.io. 59 IN RRSIG SOA 8 3 60 20170907000000 20170817000000 16713 pat.dedyn.io. ICHfyC1jcmI7hk/qcvs1mHU+DXgiAHp56tHZ0DrBIlg8Qrzj9MI8stHcWT6J7mf4e+3PMN+p34RvFokGAMqeHQ2qN4QSe1yX+Evj5RCI6Gx125ae/S0xCSnUuz4tfcmuorn+Ljk//2a8j2q+w6awrCqdoAMaVAdIMmHmmuHKhpQ=
3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. 59 IN NSEC3 1 0 300 D7E2042737B912B9 4O4UISQPPPTC260I5BQ6R816IC02HFI5 A NS SOA RRSIG DNSKEY NSEC3PARAM
3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. 59 IN RRSIG NSEC3 8 4 60 20170907000000 20170817000000 16713 pat.dedyn.io. ZkcJecwn698jOHCFN+Fn6Z3qGTZuIzVo0W25cLG6NB0DCnMdVhmD2FpWvaIT8OVWIyMSxdbC99T4pvSkdZakZWRfeJNeomwrWvbYGkGNgo/3uoQRfvm5WgTHjmoYP9QopEKpra5L2Dm8l4fQagp+BBos48QNlKeABqTkiufLEts=

;; Query time: 212 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Thu Aug 24 10:24:59 EDT 2017
;; MSG SIZE rcvd: 530

I just upgraded to 1.6.5 and retried, and get the same results.
I see one interesting thing about this domain:

   * The DS records are published with digests 1, 2, 3 and 4,
      which includes GOST(3). I build unbound without GOST
      support. (The GOST code in OpenSSL is not well maintained,
      and I prefer to avoid it).

Does anyone know why unbound is returning "AD=0"? Is it a feature or
a bug? Somewhat verbose output from "unbound-host" below...

Wouter · August 24, 2017, 3:28pm

Hi Viktor,

This is what verbosity 4 tells me:
[1503588441] libunbound[20640:0] info: verify rrset pat.dedyn.io. SOA IN
[1503588441] libunbound[20640:0] debug: verify sig 16713 8
[1503588441] libunbound[20640:0] debug: verify result: sec_status_secure
[1503588441] libunbound[20640:0] info: verify rrset
3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. NSEC3 IN
[1503588441] libunbound[20640:0] debug: verify sig 16713 8
[1503588441] libunbound[20640:0] debug: verify result: sec_status_secure
[1503588441] libunbound[20640:0] debug: Validating a nodata response
[1503588441] libunbound[20640:0] debug: nsec3: keysize 1024 bits, max
iterations 150
[1503588441] libunbound[20640:0] debug: NODATA response is insecure
[1503588441] libunbound[20640:0] info: validate(nodata): sec_status_insecure

So I guess the max iterations of 300 is a bit too much.

Best regards, Wouter

Viktor_Dukhovni · August 27, 2017, 4:38am

Thanks, that's rather ironic. I should have noticed of course:

https://github.com/danyork/draft-deploying-dnssec-crypto-algs/pull/5/files

which became:

https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-05#section-2.3.1

Indeed in doing the background research for that text I'd already
surveyed ~4.6 million DNSSEC domains for iteration limit violations
and found dedyn.io to be a hotspot (from email I sent to Paul
Wouters on May 26th) of same. I just forgot that that's the case
in the interim:

    key bits al fl iter domain name
    -------- -- -- ---- -----------
  1024 1 0 300 2639.dedyn.io
  1024 1 0 300 alba.dedyn.io
  1024 1 0 300 alefhomeunix.dedyn.io
  1024 1 0 300 amadeus.dedyn.io
  1024 1 0 300 arccadon.dedyn.io
  1024 1 0 300 armarcom.dedyn.io
  1024 1 0 300 arni2802.dedyn.io
  1024 1 0 300 backup01fliedenorg.dedyn.io
  1024 1 0 300 bblid.dedyn.io
  1024 1 0 300 biewald.dedyn.io
  1024 1 0 300 blum.dedyn.io
  1024 1 0 300 bmac01.dedyn.io
  1024 1 0 300 boenkost.dedyn.io
  1024 1 0 300 caymans11.dedyn.io
  1024 1 0 300 cnode.dedyn.io
  1024 1 0 300 columbus2015.dedyn.io
  1024 1 0 300 daneel.dedyn.io
  1024 1 0 300 de-bavori-frs.dedyn.io
  1024 1 0 300 deboca.dedyn.io
  1024 1 0 300 dedom.dedyn.io
  1024 1 0 300 digo.dedyn.io
  1024 1 0 300 druckerei-huesgen.dedyn.io
  1024 1 0 300 ds212quadflieg.dedyn.io
  1024 1 0 300 ds61.dedyn.io
  1024 1 0 300 ebner-admin.dedyn.io
  1024 1 0 300 eldena.dedyn.io
  1024 1 0 300 eshiki.dedyn.io
  1024 1 0 300 et-monkey.dedyn.io
  1024 1 0 300 eyhoma.dedyn.io
  1024 1 0 300 faelix.dedyn.io
  1024 1 0 300 fam-paul.dedyn.io
  1024 1 0 300 felge20000.dedyn.io
  1024 1 0 300 fheidenr.dedyn.io
  1024 1 0 300 fishminer.dedyn.io
  1024 1 0 300 frickel.dedyn.io
  1024 1 0 300 friedrich-net.dedyn.io
  1024 1 0 300 frinkonizer.dedyn.io
  1024 1 0 300 germbedded.dedyn.io
  1024 1 0 300 herert.dedyn.io
  1024 1 0 300 holly64.dedyn.io
  1024 1 0 300 hsh.dedyn.io
  1024 1 0 300 iturde.dedyn.io
  1024 1 0 300 jh-nas-server.dedyn.io
  1024 1 0 300 jtech.dedyn.io
  1024 1 0 300 kbmarburg.dedyn.io
  1024 1 0 300 keller.dedyn.io
  1024 1 0 300 kiel.dedyn.io
  1024 1 0 300 kilian.dedyn.io
  1024 1 0 300 klausschwarz.dedyn.io
  1024 1 0 300 kls.dedyn.io
  1024 1 0 300 knauf.dedyn.io
  1024 1 0 300 kohlzwgn.dedyn.io
  1024 1 0 300 krazykatmove.dedyn.io
  1024 1 0 300 kriftel.dedyn.io
  1024 1 0 300 lecher.dedyn.io
  1024 1 0 300 logohome.dedyn.io
  1024 1 0 300 lts-gnoien.dedyn.io
  1024 1 0 300 maggy.dedyn.io
  1024 1 0 300 markus-row.dedyn.io
  1024 1 0 300 mdm-coe.dedyn.io
  1024 1 0 300 mhaelsig2fritz.dedyn.io
  1024 1 0 300 micarl.dedyn.io
  1024 1 0 300 michaelsauer.dedyn.io
  1024 1 0 300 midbo.dedyn.io
  1024 1 0 300 mirko-franke.dedyn.io
  1024 1 0 300 mogroscha.dedyn.io
  1024 1 0 300 mp-cloud.dedyn.io
  1024 1 0 300 msijong7490.dedyn.io
  1024 1 0 300 neumann15.dedyn.io
  1024 1 0 300 oevi.dedyn.io
  1024 1 0 300 openhab.dedyn.io
  1024 1 0 300 pat.dedyn.io
  1024 1 0 300 pedrobbg.dedyn.io
  1024 1 0 300 persche.dedyn.io
  1024 1 0 300 pitahaya.dedyn.io
  1024 1 0 300 pottklose.dedyn.io
  1024 1 0 300 ppv.dedyn.io
  1024 1 0 300 proger.dedyn.io
  1024 1 0 300 purpletree.dedyn.io
  1024 1 0 300 quakeman.dedyn.io
  1024 1 0 300 rk.dedyn.io
  1024 1 0 300 rlb.dedyn.io
  1024 1 0 300 roeddi.dedyn.io
  1024 1 0 300 rolf.dedyn.io
  1024 1 0 300 rugk.dedyn.io
  1024 1 0 300 sandix.dedyn.io
  1024 1 0 300 schorcht.dedyn.io
  1024 1 0 300 sinapiserver.dedyn.io
  1024 1 0 300 spkcelle.dedyn.io
  1024 1 0 300 sports.dedyn.io
  1024 1 0 300 stahlwolf.dedyn.io
  1024 1 0 300 thoreundannki.dedyn.io
  1024 1 0 300 ticktack22.dedyn.io
  1024 1 0 300 toby1310-gt.dedyn.io
  1024 1 0 300 tomcharli.dedyn.io
  1024 1 0 300 toppa.dedyn.io
  1024 1 0 300 trashbox.dedyn.io
  1024 1 0 300 trikolon-de204.dedyn.io
  1024 1 0 300 turbomicha.dedyn.io
  1024 1 0 300 tvjoe.dedyn.io
  1024 1 0 300 vagafotodesign.dedyn.io
  1024 1 0 300 vaultsys.dedyn.io
  1024 1 0 300 vitek.dedyn.io
  1024 1 0 300 walteradmin.dedyn.io
  1024 1 0 300 watefak.dedyn.io
  1024 1 0 300 weding.dedyn.io
  1024 1 0 300 werner.dedyn.io
  1024 1 0 300 x7000.dedyn.io
  1024 1 0 300 ylphotograpy.dedyn.io
  1024 1 0 300 za.dedyn.io
  1024 1 0 300 zwettler.dedyn.io
  1024 1 0 300 zysp.dedyn.io
  1024 1 0 300 dedyn.io
  1024 1 0 300 desec.io
  1024 1 0 330 vnode.net
  1024 1 0 500 alexcohn.com
  2048 1 0 2500 giesen.me
  2048 1 0 4096 somebain.com

Perhaps it is time to reach out to dedyn.io, anyone have any good
contacts there?