-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.10.2010 07:27, Paul Wouters wrote: > On Mon, 11 Oct 2010, Hauke Lampe wrote:
> Works fine for my unbound (1.4.5rc1) with testbed config: > > $ dig +dnssec dyndns.hauke-lampe.de. ds @nssec.xelerance.com That is odd. Right now, it works on my resolver and DNS-OARC's, too. I still can reproduce it with unbound-host, though: | # unbound-host -C unbound-testbed.conf -t a -v home.dyndns.hauke-lampe.de | home.dyndns.hauke-lampe.de has address 213.39.216.235 (insecure) | # unbound-host -C unbound-notestbed.conf -t a -v home.dyndns.hauke-lampe.de | home.dyndns.hauke-lampe.de has address 213.39.216.235 (secure) Here's my sample config: https://www.hauke-lampe.de/temp/unbound-host-config.tgz In the testbed case, unbound does not even query for the subdomain DS: | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN> | info: DS RRset <hauke-lampe.de. DS IN> Shouldn't that say dyndns.hauke-lampe.de above? | debug: Process cached DS response | debug: nsec3: keysize 1032 bits, max iterations 500 | info: ce candidate <de. TYPE0 CLASS0> | info: NSEC3s for the referral proved no DS. | debug: val handle processing q with state VAL_VALIDATE_STATE | info: Verified that response is INSECURE Unbound seems to use the NSEC3s from .de to decide that there's no DS for dyndns.hauke-lampe.de. If I just remove the DNSKEY for .de, Unbound tries to validate them and then goes ahead and fetches the DS record: | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN> | info: DS RRset <hauke-lampe.de. DS IN> | debug: Process cached DS response | info: verify rrset <3K7UC41UOSLRR6B2FL0H3BG1S2QODATF.de. NSEC3 IN> | debug: verify sig 56760 8 | debug: verify: could not find appropriate key | debug: rrset failed to verify: no valid signatures for 1 algorithms | debug: verify result: sec_status_bogus | debug: NSEC3 did not verify | info: NSEC3s for the referral did not prove no DS. | debug: blacklist add: cache | debug: val handle processing q with state VAL_FINDKEY_STATE | info: validator: FindKey <home.dyndns.hauke-lampe.de. A IN> | info: current keyname <hauke-lampe.de. DNSKEY IN> | info: target keyname <dyndns.hauke-lampe.de. DNSKEY IN> | debug: striplab 0 | info: next keyname <dyndns.hauke-lampe.de. DNSKEY IN> | info: DS RRset <hauke-lampe.de. DS IN> | info: generate request <dyndns.hauke-lampe.de. DS IN> Hauke. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyyq04ACgkQKIgAG9lfHFNNZACfdwlUVX/ogKf4t7z94L9bTyu1 IIMAoL9Mqo959iLttrTGr7veVmrCPPsy =96gI -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
