-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Wouter. After adding trust-anchors and stub-zone configuration for the .de DNSSEC testbed, I get strange validation results, where Unbound reports secured subdomains as insecure. The parent domain is validated by DLV and reported secure. Disabling the .de stub zone configuration fixes it. I use DENIC's configuration example: http://www.denic.de/fileadmin/Domains/DNSSEC/dnssec-testbed-muster-unbound.txt Queries and AD flags: home.dyndns.hauke-lampe.de. A -> insecure dyndns.hauke-lampe.de. SOA -> insecure hauke-lampe.de. SOA -> secure dyndns.hauke-lampe.de. DS -> answer contains NSEC3 records from .de TLD Full unbound-host debug log is here: https://www.hauke-lampe.de/temp/unbound-host.log I get the same results from DNS-OARC's resolvers (https://www.dns-oarc.net/oarc/services/odvr): dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.21 # Unbound > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > [...] > ;; AUTHORITY SECTION: > 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN NSEC3 1 1 31 DE15C001 > 3K846UFP2SLUUNEP0UF07IVM5BPUMPL4 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM > 3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. 5819 IN RRSIG NSEC3 8 2 7200 > 20101017120000 20101010120000 56760 de. > eEDMwH1c4elJ4csdfOZ4GhAO8bkkYSp6EtMUDIflOjgJokILvywCzElD > CoiTi2UG+oEalXQCEQHy/qQFkEagf9rPzxdRIOCmhTcW+1x0pyzZ9Zzx > lZ+n+YqPmS4+4F/VtI0wWAjW5R1edzyG7+2voFH6pG8zL970/cQHWBUG dyY= > RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN NSEC3 1 1 31 DE15C001 > RHES27TM53S8ER72SCDPTNNP0GCMOBO6 A RRSIG > RHEOUB268TFR7QCO26MH2R1F320RNS8I.de. 7096 IN RRSIG NSEC3 8 2 7200 > 20101017120000 20101010120000 56760 de. > RlTGZTuUujNcTv84YJ4o/QRx7+YpS8WdtehL7GUhItgKHidZSYIppUig > 9TzWORfzw4BI5/MM5ZtiCCk/VL7P7K9mNiYiHfOxWvqVdBKNyI54BYFn > s7PFbzR4ccdQAsj477arR6CtKmT7+jVEZy7xlIjFi6td1AugQY+jvJsl jH0= > de. 5819 IN SOA f.nic.de. its.denic.de. > 2010101061 7200 7200 3600000 7200 > de. 5819 IN RRSIG SOA 8 1 86400 20101017120000 > 20101010120000 56760 de. > la/O+y6AySh+rWNidx8ORLLylODcSp4gPMhcAp9sdHeWFNuK2XNDV8qH > VYKbUPxbQqFH68xcgGqCktyCKB2cxpe6kd1gUY7AySjAa9FTeejP9atO > AJ+Y39KaVxOsjPJ2P9LY9qHKeudWHRMRzi3hZWs++APUSpypy5gn3rM+ 6qo= dig +dnssec dyndns.hauke-lampe.de. ds @149.20.64.20 # BIND > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 [...] > ;; ANSWER SECTION: > dyndns.hauke-lampe.de. 229612 IN DS 38679 10 1 > 363FC90815032BB941808CD73C1D21AB3F3D6D3E > dyndns.hauke-lampe.de. 229612 IN DS 38679 10 2 > B06ABE78F499F24CE9AC64BEFE6D9A3F2B101168867DF8B849F0800F 59F2CDF4 > dyndns.hauke-lampe.de. 229612 IN RRSIG DS 5 3 230042 > 20101021092305 20101007092305 20073 hauke-lampe.de. > AQGIjBFH3xaXkUTGYo9yUHbva8GGWhasyQOv50CVNuzFJUOQrL05vtyH > C2W7e7eSUFkvOm7dqaIkkBsV/+WFJAUXPcNqT9mJGpTiXuSLXRJmv8k2 > h4dnv4FT82YMP+kvNoF0QRRb7xp5trHsUvPX0uhzfbL8sCJwz31csDfq RT2E > dyndns.hauke-lampe.de. 229612 IN RRSIG DS 5 3 230042 > 20101021092305 20101007092305 26427 hauke-lampe.de. > ARqKo559ueoZT80eRvjauYL95mGjsc+WsJL/MLZxuHDG3jPFEjYrctac > fhcKu/xVKhzT3mnxFgtBoHwcw45NIyXjfVn54FQk2mdFcJ/VW/n+xbVB > Uyb+X078GeirOPDq1QFeFezADaBlgJDeg7v+wmyg0Vrmt6uFJ8kcpGxG 8TLB Hauke. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyyRA0ACgkQKIgAG9lfHFPFyACguIEWrc0QNf6o5hwKUUF8KTGA BykAnRu3OXe3X+dTJoWjNheoV1PUPGTH =HiTa -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
