Unbound does not honor forwarder DNSSEC verification?

la9k3 · March 1, 2016, 3:12am

Hi, I have been looking online for some time try to fix this problem, hopefully
this is the right last resort place.

Is there a way to make unbound honor my forwarder's dnssec validation?

For example, I use unbound as a caching forwarder and have "." set as a
forwarding zone that forwards everything to Google's public DNS
(8.8.8.8).

However, when I test dnssec, I get a valid reply from servers such
as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
my normal resolver, in which case I get a SERVFAIL response.

Is this possible? I have trouble understanding why unbound would give a
valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
empty answer.

Thanks

PaulWouters · March 1, 2016, 5:44am

That works fo me:

paul@bofh:~$ sudo service unbound restart
Redirecting to /bin/systemctl restart unbound.service
paul@bofh:~$ sudo unbound-control list_forwards
paul@bofh:~$ sudo unbound-control forward_add . 8.8.8.8
ok
paul@bofh:~$ cat /etc/resolv.conf # Generated by NetworkManager
search nohats.ca
nameserver 127.0.0.1
paul@bofh:~$ dig +dnssec www.dnssec-failed.org

; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> +dnssec
www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 490 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 01 00:43:08 EST 2016
;; MSG SIZE rcvd: 50

paul@bofh:~$

hdais · March 1, 2016, 11:47am

Hi,

Please show us "how to repeat" such as your unbound configuration
or procedure to see the problem...

Possible bug (feature?) concern the issue is [1].

In Unbound-1.5.4 and older, "unbound-control forward_add . 8.8.8.8"
adds forwarder with "forward-first: yes"
It makes Unbound to retry recursion by itself if 8.8.8.8 returns SERVFAIL.

[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=681

hdais · March 1, 2016, 12:16pm

The issue may not related to bug #681.

Unbound always forwards query with CD=1 to forwarder,
so Unbound doesn't honor forwarder DNSSEC verification (I forgot it!)

So if you disabled DNSSEC validation you will get "insecure" answer.
If you want SERVFAIL for www.dnssec-failed.org you have to enable
DNSSEC validation.

la9k3 · March 1, 2016, 2:22pm

I will try to patch unbound and see if setting the CD bit to 0 works,
seems like this could be the problem.

Doing my own verification is extremely slow (from 200ms to 4000ms for
a typical query).

Also it seems to me that the CD bit should be set to 0 if the query is
forwarded and the validator module is off, is there a reason why it is always 1?

Thanks!

To reproduce (if it still matters):
server:
  num-threads: 1

  cache-min-ttl: 60
  access-control: 127.0.0.1 allow
  interface: 127.0.0.1
  port: 53

  chroot: "/etc/unbound"
  username: "unbound"

  logfile: "unbound.log"
  module-config: "iterator"

  forward-zone:
    name: "."
    forward-addr:8.8.8.8

dig www.dnssec-failed.org (works)
dig @8.8.8.8 www.dnssec-failed.org (servfail)

I'm using version 1.5.1

la9k3 · March 1, 2016, 2:29pm

The same thing does not work for me, can you try the configuration I
provided in my previous email to Daisuke Higashi?