[dns-operations] unbound-bind chain causing validation failures on synthesized records
Paul Wouters
paul at cypherpunks.ca
Mon Jul 9 19:18:25 UTC 2012
when forwarding unbound to a bind instance with dnssec support enabled,
but dnssec validation disabled, and when querying for a wildcard instance
(eg foo.fedorapeople.org), bind's reply to unbound is not satisfactory to
unbound. It seems unbound is expecting an NSEC/RRSIG over the NS record
set in the authority section, and marks the result bogus:
It is not entirely clear to me if this is a bind or unbound bug.
This can be simply reproduced by running bind 9.9.1 (or 9.8.x) using:
ip addr add 1.2.3.4 dev lo
named.conf:
options {
listen-on port 53 { 1.2.3.4; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dig +dnssec foo.fedorapeople.org @1.2.3.4
; <<>> DiG 9.8.2-RedHat-9.8.2-2.fc16 <<>> +dnssec foo.fedorapeople.org
@1.2.3.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27114
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.fedorapeople.org. IN A
;; ANSWER SECTION:
foo.fedorapeople.org. 60 IN A 152.19.134.191
foo.fedorapeople.org. 60 IN RRSIG A 5 2 60 20120802165114
20120703165114 378 fedorapeople.org.
G3S+RaJMGia8V9rLWRKrhpM9oprjvro+TXw0oU+AuDiyt7vTGpbf/nan
ntGyZ2oiDXC4myyNjxlmaK1gtXyBtINhPzJX/tUgZR0AwE20iRfVxya2
10SpvZ+TRz4l3u4KLFxxu3SxC0hLY2NULFqW4WLPTxbQ4JoQnag4qi9F iiQ=
;; AUTHORITY SECTION:
fedorapeople.org. 86400 IN NS ns04.fedoraproject.org.
fedorapeople.org. 86400 IN NS ns02.fedoraproject.org.
fedorapeople.org. 86400 IN NS ns05.fedoraproject.org.
fedorapeople.org. 86400 IN NS
ns-sb01.fedoraproject.org.
;; ADDITIONAL SECTION:
ns02.fedoraproject.org. 86400 IN A 152.19.134.139
ns04.fedoraproject.org. 86400 IN A 209.132.181.17
ns05.fedoraproject.org. 86400 IN A 85.236.55.10
ns-sb01.fedoraproject.org. 86400 IN A 69.174.247.243
;; Query time: 1821 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Mon Jul 9 15:04:13 2012
;; MSG SIZE rcvd: 398
The same query on unbound gives:
[root at bofh drafts]# dig +dnssec foo.fedorapeople.org @127.0.0.1
; <<>> DiG 9.8.2-RedHat-9.8.2-2.fc16 <<>> +dnssec foo.fedorapeople.org
@127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7115
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.fedorapeople.org. IN A
;; ANSWER SECTION:
foo.fedorapeople.org. 60 IN A 152.19.134.191
foo.fedorapeople.org. 60 IN RRSIG A 5 2 60 20120802165114
20120703165114 378 fedorapeople.org.
G3S+RaJMGia8V9rLWRKrhpM9oprjvro+TXw0oU+AuDiyt7vTGpbf/nan
ntGyZ2oiDXC4myyNjxlmaK1gtXyBtINhPzJX/tUgZR0AwE20iRfVxya2
10SpvZ+TRz4l3u4KLFxxu3SxC0hLY2NULFqW4WLPTxbQ4JoQnag4qi9F iiQ=
;; AUTHORITY SECTION:
*.fedorapeople.org. 86400 IN NSEC fedorapeople.org. A AAAA
RRSIG NSEC
*.fedorapeople.org. 86400 IN RRSIG NSEC 5 2 86400
20120802165114 20120703165114 378 fedorapeople.org.
L62mmhkOSmGil0ZusbSmpkdbhmxbXw9iJk/krJxV2FSjEy4k0wIh/4ug
gpya8ZWkXyoRSBkVf8EtF3cta+6tdOyetyAUkQoJGfryu1YtIUrDUbd0
yq93dMZsRcHBwuwapFQpcRM+Yrye1YDlup/R2Dai9RY3acezvJX1KCxU 0iY=
;; Query time: 51 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 9 15:06:12 2012
;; MSG SIZE rcvd: 457
unbound, when configured to use the above bind as forwarder via
dnssec-trigger gives:
May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: resolving foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: processQueryTargets: foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) cacheNS
May 24 09:38:06 bradley unbound: [24502:1] info: sending query: foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: mesh_run: end 1 recursion states (0 with reply, 1 detached), 0 waiting replies, 22 recursion replies sent, 0 replies dropped, 0 states jostled out May 24 09:38:06 bradley unbound: [24502:1] info: average recursion processing time 3.168268 sec
May 24 09:38:06 bradley unbound: [24502:1] info: histogram of recursion processing times
May 24 09:38:06 bradley unbound: [24502:1] info: [25%]=0.563931 median[50%]=1 [75%]=2.33333
May 24 09:38:06 bradley unbound: [24502:1] info: lower(secs) upper(secs) recursions
May 24 09:38:06 bradley unbound: [24502:1] info: 0.002048 0.004096 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.016384 0.032768 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.131072 0.262144 2
May 24 09:38:06 bradley unbound: [24502:1] info: 0.262144 0.524288 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.524288 1.000000 6
May 24 09:38:06 bradley unbound: [24502:1] info: 1.000000 2.000000 5
May 24 09:38:06 bradley unbound: [24502:1] info: 2.000000 4.000000 3
May 24 09:38:06 bradley unbound: [24502:1] info: 16.000000 32.000000 3
May 24 09:38:06 bradley unbound: [24502:1] info: 0RDd mod1 foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: iterator operate: query foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: scrub for . NS IN May 24 09:38:06 bradley unbound: [24502:1] info: response for foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: reply from <.> 203.2.75.132#53
May 24 09:38:06 bradley unbound: [24502:1] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
May 24 09:38:06 bradley unbound: [24502:1] info: query response was ANSWER
May 24 09:38:06 bradley unbound: [24502:1] info: finishing processing for foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: signer is fedorapeople.org. TYPE0 CLASS0
May 24 09:38:06 bradley unbound: [24502:1] info: validator: FindKey foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset fedorapeople.org. NS IN
May 24 09:38:06 bradley unbound: [24502:1] info: validator: response has failed AUTHORITY rrset: fedorapeople.org. NS IN
May 24 09:38:06 bradley unbound: [24502:1] info: validate(positive): sec_status_bogus
May 24 09:38:06 bradley unbound: [24502:1] info: resolving foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: processQueryTargets: foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) cacheNS
May 24 09:38:06 bradley unbound: [24502:1] info: sending query: foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: mesh_run: end 1 recursion states (0 with reply, 1 detached), 0 waiting replies, 22 recursion replies sent, 0 replies dropped, 0 states jostled out
May 24 09:38:06 bradley unbound: [24502:1] info: average recursion processing time 3.168268 sec
May 24 09:38:06 bradley unbound: [24502:1] info: histogram of recursion processing times
May 24 09:38:06 bradley unbound: [24502:1] info: [25%]=0.563931 median[50%]=1 [75%]=2.33333
May 24 09:38:06 bradley unbound: [24502:1] info: lower(secs) upper(secs) recursions
May 24 09:38:06 bradley unbound: [24502:1] info: 0.002048 0.004096 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.016384 0.032768 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.131072 0.262144 2
May 24 09:38:06 bradley unbound: [24502:1] info: 0.262144 0.524288 1
May 24 09:38:06 bradley unbound: [24502:1] info: 0.524288 1.000000 6
May 24 09:38:06 bradley unbound: [24502:1] info: 1.000000 2.000000 5
May 24 09:38:06 bradley unbound: [24502:1] info: 2.000000 4.000000 3
May 24 09:38:06 bradley unbound: [24502:1] info: 16.000000 32.000000 3
May 24 09:38:06 bradley unbound: [24502:1] info: 0RDd mod1 foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: iterator operate: query foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: scrub for . NS IN May 24 09:38:06 bradley unbound: [24502:1] info: response for foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: reply from <.> 198.142.0.51#53
May 24 09:38:06 bradley unbound: [24502:1] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
May 24 09:38:06 bradley unbound: [24502:1] info: query response was ANSWER
May 24 09:38:06 bradley unbound: [24502:1] info: finishing processing for foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: query foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: validator operate: chased to . TYPE0 CLASS0
May 24 09:38:06 bradley unbound: [24502:1] info: signer is fedorapeople.org. TYPE0 CLASS0
May 24 09:38:06 bradley unbound: [24502:1] info: validator: FindKey foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset foo.fedorapeople.org. A IN
May 24 09:38:06 bradley unbound: [24502:1] info: verify rrset fedorapeople.org. NS IN
May 24 09:38:06 bradley unbound: [24502:1] info: validator: response has failed AUTHORITY rrset: fedorapeople.org. NS IN
May 24 09:38:06 bradley unbound: [24502:1] info: validate(positive): sec_status_bogus
Note that querying for the wildcard directly, eg dig '*.fedorapeople.org' works fine.
Paul
More information about the dns-operations
mailing list