Re: Unbound and DNSSEC - different answers from 1.4.22 and 1.5.6

2015-11-25 Thread Aleš Rygl via Unbound-users 
Hello Casey,

On Wednesday 25 of November 2015 11:08:39 Casey Deccio wrote:
> On Wed, Nov 25, 2015 at 10:19 AM, Aleš Rygl 
> 
> wrote:
> > I am running Unbound 1.4.22 on Debian 7.9 for production and  have also
> > installed  Unbound 1.5.6-1 on Debian 8.2. Both are validating with nearly
> > identical config.
> 
> In the 1.5.5 release, the following default behavior changed:
> 
> - Change default of harden-algo-downgrade to off. This is lenient for
>   algorithm rollover.

You are right of course - just tested. Thanks a lot for your immediate 
response. You really made me happy at the end of the hard day.

With regards
Ales

Unbound and DNSSEC - different answers from 1.4.22 and 1.5.6

2015-11-25 Thread Aleš Rygl via Unbound-users 
  

Hello all, 

I am running Unbound 1.4.22 on Debian 7.9 for
production and have also installed Unbound 1.5.6-1 on Debian 8.2. Both
are validating with nearly identical config. 

The issue is that I am
receiving different results for following query (I am sorry for long
post): 

1.4.22: 

dig -t a www.mikulasske.cz -p1053 @127.0.0.1

;  DiG
9.8.4-rpz2+rl005.12-P1  -t a www.mikulasske.cz -p1053 @127.0.0.1
;;
global options: +cmd
;; Got answer:
;; ->>HEADERHEADERHEADERHEADER

Re: Unbound and DNSSEC - different answers from 1.4.22 and 1.5.6

2015-11-25 Thread Casey Deccio via Unbound-users 
On Wed, Nov 25, 2015 at 10:19 AM, Aleš Rygl 
wrote:

> I am running Unbound 1.4.22 on Debian 7.9 for production and  have also
> installed  Unbound 1.5.6-1 on Debian 8.2. Both are validating with nearly
> identical config.
>

In the 1.5.5 release, the following default behavior changed:

- Change default of harden-algo-downgrade to off. This is lenient for
  algorithm rollover.

(https://www.unbound.net/pipermail/unbound-users/2015-October/004055.html)

>From the unbound.conf man page:

harden-algo-downgrade - Harden  against algorithm downgrade when multiple
algorithms are advertised in the DS record.  If no, allows  the  weakest
 algorithm  to validate the zone.  Default is no.  Zone signers must
produce zones that allow this feature  to  work,  but  sometimes they  do
not, and turning this option off avoids that validation failure.

(https://www.unbound.net/documentation/unbound.conf.html)

> According to the dnsviz.net  the domain seems to be DNSSEC broken.
>

Well, "broken" might be strong, but it has errors on the signer side
because the RRsets are signed by only one of the algorithms that appear in
the DS RRset:

http://dnsviz.net/d/mikulasske.cz/VlXMmQ/dnssec/

There is a validation path using one of the algorithms, but because it is
not signed with both, unbound will only validate it if
harden-algo-downgrade is off.  Again, the default behavior changed between
versions, which explains why validation works for one and not for the other.

Cheers,
Casey