Maintained by: NLnet Labs

[Unbound-users] DLV records for ORG have been inserted into dlv.isc.org

W.C.A. Wijngaards
Mon Jul 6 14:47:43 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 07/06/2009 02:33 PM, Stephane Bortzmeyer wrote:
>> For those of you using DLV in your resolvers, ORG should have appeared a  
>> few minutes ago.
> 
> It works with BIND+DLV :
> 
> % dig +dnssec SOA bondis.org 
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
> ...
> 
> Not with Unbound+DLV:
> 
> % dig +dnssec SOA automagic.org
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9192
> 
> (All the .ORG domains servfail.)
> 
> Log attached.
> 
> Restarting does not help.
> 
> Unbound 1.3.0 pristine, Debian/Linux, no forwarder, dlv.isc.org

Automagic.org has 4 servers. the ns-ext.isc.org is glue, and then it has
three other nameservers.  The isc.org server has expired DNSKEY
signatures.   The other nameservers work.

(Jelte says after a quick look: the zone was most probably updated, but
they *de*creased the serial number, causing the pickup to go wrong).

Unbound, because it gets the glue for free, tries to get the data from
isc.org.  This fails.  It becomes servfail.

Now, with default settings, unbound fetches address for the other
servers into the cache and every minute tries a random one.  So after
some time it can become valid if you keep trying.

Bind shows different behaviour - it tries all nameservers for the domain
until it gets valid DNSSEC from it.  That is why you see no complaints
from BIND.

Because of the design of unbound it would be relatively tricky to scan
all nameservers for valid signatures.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpR8m4ACgkQkDLqNwOhpPgX+gCgqOb90jIB+endXnxhRGHrx6xq
pFsAn0weAULeXOIcStmCFmDI8mhXCCO6
=8kbh
-----END PGP SIGNATURE-----