[dns-operations] Unbound vs. dnsviz DNSSEC edge-case, which is right?

Tony Finch dot at dotat.at
Wed Aug 10 11:02:04 UTC 2016


BIND thinks this is OK:

2016-08-10.11:43:37.094 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: verify rdataset (keyid=7374): from wildcard
2016-08-10.11:43:37.094 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: looking for noqname proof
2016-08-10.11:43:37.094 dnssec: debug 9: validating _25._tcp.tjejhockey.se/CNAME: validate_authority: creating validator for odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se NSEC3
2016-08-10.11:43:37.094 dnssec: debug 3:   validating odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se/NSEC3: starting
2016-08-10.11:43:37.094 dnssec: debug 3:   validating odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se/NSEC3: attempting positive response validation
2016-08-10.11:43:37.094 dnssec: debug 3:   validating odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se/NSEC3: keyset with trust secure
2016-08-10.11:43:37.095 dnssec: debug 3:   validating odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se/NSEC3: verify rdataset (keyid=7374): success
2016-08-10.11:43:37.095 dnssec: debug 3:   validating odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se/NSEC3: marking as secure, noqname proof not needed
2016-08-10.11:43:37.095 dnssec: debug 4:   validator @0x823bf6900: dns_validator_destroy
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: in authvalidated
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: resuming nsecvalidate
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: looking for relevant NSEC3
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: closest encloser from wildcard signature 'tjejhockey.se'
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: looking for relevant NSEC3
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: NSEC3 proves name does not exist: '_tcp.tjejhockey.se'
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: NSEC3 indicates optout
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: optout proof found
2016-08-10.11:43:37.095 dnssec: debug 3: validating _25._tcp.tjejhockey.se/CNAME: marking as answer (nsecvalidate (1))
2016-08-10.11:43:37.095 resolver: debug 3: fctx 0x81a804000(_25._tcp.tjejhockey.se/TLSA): validation OK

But the query subsequently fails when it tries to follow the CNAME because:

2016-08-10.11:43:37.363 resolver: debug 10: received packet from 93.188.0.21#53
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:  37630
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;s07.hello-clarice.net.         IN      TLSA

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fair Isle, Faeroes, Southeast Iceland: Variable 3 or 4 becoming cyclonic 4 or
5, occasionally 6 except in Fair Isle. Moderate. Rain or showers, fog patches.
Moderate or good, occasionally very poor.



More information about the dns-operations mailing list