unbound responds with status SERVFAIL for request 'dig
foo.dname2.example. any +dnssec'. I think it means unbound failed to
validate the data and i found such statements in log:
12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
TYPE0 CLASS0>
would it be 'example' the signer instead of 'foo.dname2.example'?
here is the response for request with cd bit set
$ dig foo.dname2.example. any @10.53.0.8 +cdflag
; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;foo.dname2.example. IN ANY
;; ANSWER SECTION:
dname2.example. 300 IN DNAME dname2-target.example.
dname2.example. 300 IN RRSIG DNAME 3 2 300
20110811002909 20110712002909 41604 example.
BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
foo.dname2.example. 0 IN CNAME foo.dname2-target.example.
foo.dname2-target.example. 300 IN TXT "testing dname"
foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300
20110811002909 20110712002909 41604 example.
BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG NSEC
foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600
20110811002909 20110712002909 41604 example.
BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
;; AUTHORITY SECTION:
example. 300 IN NS ns2.example.
example. 300 IN NS ns3.example.
;; ADDITIONAL SECTION:
ns2.example. 300 IN A 10.53.0.2
ns3.example. 300 IN A 10.53.0.3
unbound responds with status SERVFAIL for request 'dig
foo.dname2.example. any +dnssec'. I think it means unbound failed to
validate the data and i found such statements in log:
12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
TYPE0 CLASS0>
would it be 'example' the signer instead of 'foo.dname2.example'?
here is the response for request with cd bit set
$ dig foo.dname2.example. any @10.53.0.8 +cdflag
; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;foo.dname2.example. IN ANY
;; ANSWER SECTION:
dname2.example. 300 IN DNAME dname2-target.example.
dname2.example. 300 IN RRSIG DNAME 3 2 300
20110811002909 20110712002909 41604 example.
BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
foo.dname2.example. 0 IN CNAME foo.dname2-target.example.
foo.dname2-target.example. 300 IN TXT "testing dname"
foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300
20110811002909 20110712002909 41604 example.
BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG NSEC
foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600
20110811002909 20110712002909 41604 example.
BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=
;; AUTHORITY SECTION:
example. 300 IN NS ns2.example.
example. 300 IN NS ns3.example.
;; ADDITIONAL SECTION:
ns2.example. 300 IN A 10.53.0.2
ns3.example. 300 IN A 10.53.0.3
Unbound follows the DNAME when answering the ANY query, like Luo Ce has
reported. But, in this case, it is confused by the unsigned target and
thus unsigned data that appears in the ANY response.
There are two roads to solution. Unbound can stop following CNAME and
DNAME if the qtype is ANY. Unbound can learn that ANY responses may
contain CNAME and DNAME and thus also target zone contents and validate
that.
hi Wouter,
thanks a lot for your answer. but i can get the following response
from bind recursor:
there is 'ad' flag. so i wonder whether the validation should be
'pass' or 'failed'.
That message is in error (just like Unbound, but wrong the other way).
Because the TXT record is not signed, the result should have been sent
without the AD flag. (CNAME sequence from signed to unsigned zone
becomes insecure). Something that could well be reported to the ISC people.