[Unbound-users] Expired signature accepted?

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Oct 16 07:28:01 UTC 2009


keltia.net is signed, is in DLV an the signatures are expired since yesterday.

Yet, Unbound 1.3.2 accepts it and flags it as authentic:

% dig +dnssec MX keltia.net

; <<>> DiG 9.5.1-P3 <<>> +dnssec MX keltia.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6769
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;keltia.net.			IN	MX

;; ANSWER SECTION:
keltia.net.		86233	IN	MX	10 mail.keltia.net.
keltia.net.		86233	IN	RRSIG	MX 5 2 86400 20091015081308 20090915081308 25800 keltia.net. tXBmSqNYOS3yRbEpWo4Awd6idVvpNlrc02GEx2OYWMwapBDYPoANLhAb kl9lEgsHuVZQpDL//3pylsTAwVUvoy0TVCg7rWjwgvoMo/KTPmYZDldF uYe35HzuUdUJhlcOZbPGr5TtnpXf3cSZljDOp6DKOX879DhlMilsOMvD ZYs=

;; AUTHORITY SECTION:
keltia.net.		86233	IN	NS	ns0.keltia.net.
keltia.net.		86233	IN	NS	ns.frmug.org.
keltia.net.		86233	IN	NS	aran.keltia.net.
keltia.net.		86233	IN	RRSIG	NS 5 2 86400 20091015081308 20090915081308 25800 keltia.net. Sud5y0rCzuQUCjafZazlQ6vw0XC15TmBYDolM9bi6j19ehpgCeurBPGm YqsJwYB1u4L/LeFA56kC5cVZDplrZruafhcLrJKCAscS76QCYikOwV0I 5oIDnG9OMiI2lULeMQqRdZu1kT1qsPGQ9PT32HF9J7PRME5evNlDvxBE lo4=

;; ADDITIONAL SECTION:
mail.keltia.net.	86233	IN	A	82.230.37.243
mail.keltia.net.	86233	IN	AAAA	2001:660:330f:f820:213:72ff:fe15:f44
ns0.keltia.net.		86233	IN	A	82.230.37.243
ns0.keltia.net.		86233	IN	AAAA	2001:660:330f:f820:213:72ff:fe15:f44
aran.keltia.net.	86233	IN	A	88.191.250.24
aran.keltia.net.	86233	IN	AAAA	2a01:240:fe00:59::2
mail.keltia.net.	86233	IN	RRSIG	A 5 3 86400 20091015081308 20090915081308 25800 keltia.net. dm8kHHC1K2jMNAY+TOoqati2dxgSLPegZgTL7xGHVLQrBsvcFZVlptnB VG2KkWXtNoql5GckwEh4n8SYg2r1FA1cTHt1EnO6pD+k54v8z2nwuAiv ju4yZcFgM+tJA4QR7qrdwmnhsvGdcjsf/zkYgCzBStSELo3CSayYXOy0 UuA=
mail.keltia.net.	86233	IN	RRSIG	AAAA 5 3 86400 20091015081308 20090915081308 25800 keltia.net. ZsO9mcE8iNSx39ssAhylrP6vMYXmKWQpW1KXKXWr7P4cfnNM6pe5R/+0 6UrLNV1lMFIUU0MDRn0g3KdFGDt2yd0XDzGo03MUU2UuNl6GtKDMHM5q dQsGXz/LWerlrbPSOuKG5xpOs5rxCdgppYyAwmYo0GNn56WF9lmxrUeD +W8=
ns0.keltia.net.		86233	IN	RRSIG	A 5 3 86400 20091015081308 20090915081308 25800 keltia.net. Q8xG4YnbWZq2J9UASpaX6CBf9wmCKGxpVGy/H6qXZQ3+XA64dwLIOp7N dCh4C5s+3gTOKd8j6qpJ79R8CblobLKFPmcHoVXbZZipHYRaQegWAIKQ hslLCtqtvbzrItroiGTdU0jQshWnqnJByg5JMlL+F0d10yAsfCAFns61 AXM=
ns0.keltia.net.		86233	IN	RRSIG	AAAA 5 3 86400 20091015081308 20090915081308 25800 keltia.net. u2/WbIUXv83LalE644J8iP7GjEfffJsjT7ZWPxCsZrwT3uQCAKtiaYfL XZMHY0vPZ4nORqI5J72w1om1s3bxhs6NAmtISxSYQLpUGLzzyFRTpn7i 68or3eE0B23bI727yhByI3UUyYfbbT13ouKHOPULwHJmFPcgAdhg6Mmo yJc=
aran.keltia.net.	86233	IN	RRSIG	A 5 3 86400 20091015081308 20090915081308 25800 keltia.net. KOXB+XfAPLQcJhWPKCAid+dTt0VvntkcnpFJ2VWyKhnUgQPq42QDORUy aHhPAukDBOQ7yx6GYbEgC8DO/BQXKUGyBTA6erRjcIvM9SdsZJOFV6Cm lIjOPJRe/Q1JjX4MDjPCDux///C5AFMSCNaut2JjnGbweeHV0NpWWbRx QG0=
aran.keltia.net.	86233	IN	RRSIG	AAAA 5 3 86400 20091015081308 20090915081308 25800 keltia.net. EMpt7TYL53rK1ihab8uL5ytArqbVdvtHOMYAtp8sa8xJByEpTOGd9gSP aX8Ba6ifGOwCUONXIYtVRkgXQCxwITSlEbRPODcl/OaL3Yw+rrEgiaru WfZyBsWYLlXMDiRdSUxwld3a6umV267XEq52oeuEj4z0Kr7yvs1UYiNo CI8=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Oct 16 09:26:45 2009
;; MSG SIZE  rcvd: 1615

BIND 9.5.1, rightly so, refuses it:


% dig +dnssec  MX keltia.net          

; <<>> DiG 9.5.1-P3 <<>> +dnssec MX keltia.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48404
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;keltia.net.                    IN      MX

;; Query time: 992 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 16 09:27:03 2009
;; MSG SIZE  rcvd: 39



More information about the Unbound-users mailing list