unbound signature expired

Evan Sherwood Mon, 18 Mar 2024 11:21:20 -0700

I have an unbound server using Quad9 as an upstream DNS provider. I have
been unable to resolve records from slack.com recently using my local
unbound.


On the server:

```
# dig @::1 slack.com

; <<>> dig 9.10.8-P1 <<>> @::1 slack.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75 
72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e 3a 20 73 69 67 6e 
61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f 6d 20 32 36 32 30 3a 66 65 
3a 3a 66 65 ("validation failure <slack.com. A IN>: signature expired from 
2620:fe::fe")
;; QUESTION SECTION:
;slack.com.                     IN      A

;; Query time: 26 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Mar 18 18:02:25 PDT 2024
;; MSG SIZE  rcvd: 116
```

But when I try to query Quad9 directly, it works:

```
# dig @2620:fe::fe slack.com

; <<>> dig 9.10.8-P1 <<>> slack.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;slack.com.                     IN      A

;; ANSWER SECTION:
slack.com.              10      IN      A       35.81.85.251
slack.com.              10      IN      A       44.234.235.93
slack.com.              10      IN      A       54.70.179.16
slack.com.              10      IN      A       44.237.180.172
slack.com.              10      IN      A       52.89.90.67
slack.com.              10      IN      A       54.245.50.245
slack.com.              10      IN      A       54.188.33.22
slack.com.              10      IN      A       54.71.95.193
slack.com.              10      IN      A       35.82.91.193

;; Query time: 2 msec
;; SERVER: 2620:fe::fe#53(2620:fe::fe)
;; WHEN: Mon Mar 18 18:05:05 PDT 2024
;; MSG SIZE  rcvd: 182
```

I've tried

- `unbound-control reload`
- `unbound-control flush slack.com`
- `unbound-anchor`

... and there's no change. All other domains I've tried work.

I am using one of StevenBlack's block lists and I changed that recently
(from one list to another one), if that's relevant.

I tried removing the block list entirely and saw no change.

Here's my unbound.conf:

```
server:
        interface: ::1
        interface: xxxx:xxxx:xxxx:xxxx::xxxx
        do-ip6: yes
        ede: yes
        do-nat64: yes
        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: xxxx:xxxx:xxxx:xxxx::xxxx allow
        access-control: 192.168.1.0/32 allow
        access-control: xxxx:xxxx:xxxx:5700::/64 allow
        access-control: xxxx:xxxx:xxxx:5702::/64 allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        auto-trust-anchor-file: "/var/unbound/db/root.key"
        val-log-level: 2
        aggressive-nsec: yes
        private-address: ::1/128
        private-address: ::ffff:0:0/96
        private-address: fd00::/8
        private-address: fe80::/10
        module-config: "dns64 validator iterator"
        include: /etc/unwind.conf.deny

remote-control:
        control-enable: yes
        control-interface: /var/run/unbound.sock

forward-zone:
        name: "."
        forward-addr: 2620:fe::fe
```

This feels like a caching issue to me, but I don't know what to do to
resolve it.

Unbound logs show the same error from the failing dig command.

Would appreciate any help.

unbound signature expired

Reply via email to