Unbound dropping RRSIGs from zone?

Rob_Gallagher · December 21, 2011, 2:28pm

Hi all,

I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a
signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS
records are published to the parent yet).

A nagios plugin had been regularly alarming that the zone was
unsigned, and indeed when I queried the Unbound resolver that our
monitoring server uses the RRSIG had been stripped out of the reply:

--------8<--------

dig @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec

; <<>> DiG 9.7.3 <<>> @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42217
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA

;; ANSWER SECTION:
0.7.7.0.1.0.0.2.ip6.arpa. 814 IN SOA ns.heanet.ie.
hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600

--------8<--------

An identical resolver returns the correct record however:

--------8<--------

dig @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec

; <<>> DiG 9.7.3 <<>> @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47300
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA

;; ANSWER SECTION:
0.7.7.0.1.0.0.2.ip6.arpa. 111 IN SOA ns.heanet.ie.
hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600
0.7.7.0.1.0.0.2.ip6.arpa. 111 IN RRSIG SOA 8 10
3600 20111226202852 20111220000932 45295 0.7.7.0.1.0.0.2.ip6.arpa.
BWYHZQK8cxu71ysSVKeUAQobe270QWIm4zwXFloBZy8VkvH3OCQdskoB
Xu6Ff7Hql8qi85y7yoAIMofDLLtPfBue1QLIYPT/ioBM81XYJqLJOHwd
gqUUoaR1hufB0ewiCO04QwY2Mq985VzsZyAQ4n+E1OiuRqpvUOCEBoDh uYk=

--------8<--------

Manually flushing the record, restarting unbound, or waiting for the
TTL to expire causes the resolver to re-fetch the missing RRSIGs and
things continue as normal, but the problem seems to re-appear every
couple of days according to the nagios plugin logs.

Nothing obvious turns up in the logs on the resolver, at verbosity 2 at
least, should I increase the verbosity to something noisier?

rg

Wouter · December 24, 2011, 11:24am

Hi Rob,

Hi all,

I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a
signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS
records are published to the parent yet).

Try updating to 1.4.14, apart from the vuln patch there have been a
number of fixes inthe meantime with handling EDNS-timeouts and
fragmentation issues. You perhaps have such fragmentation issues.

It is also a good idea to perform the oarc edns reply size test, see if
packets larger than 1500 go there, fix you old routers, firewalls to
handle UDP fragments (the upgrade may workaround it, but this will fix
it and make your nameservers run better (EDNS larger sizes work)).

Best regards,
Wouter