Maintained by: NLnet Labs

[Unbound-users] Possible bug: bogus validation result on non-existence proofs when asking for DS records (unbound 1.4.16)

Ondrej Mikle
Fri Apr 27 14:48:14 CEST 2012


Hi,

I've run into a strange result when querying for DS RRs (e.g. for
zone.nic.cz). The output of the attached script is:

Unbound version: 1.4.16
fqdn: nic.cz, status: 0, secure: 1, bogus: 0, why_bogus: None
fqdn: zone.nic.cz, status: 0, secure: 0, bogus: 1, why_bogus: validation
failure <zone.nic.cz. DS IN>: nodata proof failed from 2001:678:f::1
fqdn: www.nic.cz, status: 0, secure: 0, bogus: 1, why_bogus: validation
failure <www.nic.cz. DS IN>: nodata proof failed from 2001:678:1::1
fqdn: xn--mgbh0fb.xn--kgbechtv, status: 0, secure: 0, bogus: 1,
why_bogus: validation failure <xn--mgbh0fb.xn--kgbechtv. DS IN>: nodata
proof failed from 2001:648:2c30::1:10


The above queries via dig are OK.

Though if I query unbound running locally, I get always SERVFAIL (tried
on two machines, one had unbound 1.4.16 from distribution, the other
I've compiled from source).

Am I missing something or is it a bug?


Ondrej
-------------- next part --------------
#!/usr/bin/env python
from unbound import ub_ctx, ub_version, RR_TYPE_DS

print "Unbound version:", ub_version()

u = ub_ctx()
u.add_ta(".   IN DS   19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5")
#u.resolvconf("/etc/resolv.conf")

for fqdn in ("nic.cz", "zone.nic.cz", "www.nic.cz", "xn--mgbh0fb.xn--kgbechtv"):
	s, r = u.resolve(fqdn, RR_TYPE_DS)
	print "fqdn: %s, status: %s, secure: %s, bogus: %s, why_bogus: %s" % \
	    (fqdn, s, r.secure, r.bogus, r.why_bogus)