Hello,
I experience the following problem with unbound-1.1.1.
A bug? or I hope somebody to kindly point out my fault.
What I did is the following.
- Sign a zone data of "example.jp", which contains an HINFO
RR, with dnssec-signzone in BIND-9.4.2, key is generated
by dnssec-keygen in BIND-9.4.2, too.
- Serve the zone by NSD 3.2.0.
The result is the following.
- Look up the HINFO RR via named(recursive only) results
NOERROR
- Look up via unbound 1.1.1 results SERVFAIL. unbound says
"message contains bad rrsets" at the time.
- Look up the A RR of same owner via unbound results
NOERROR.
# example.jp before signing:
$TTL 1m
@ IN SOA ns.example.jp. hostmaster.example.jp. (
0 ; overridden by dnssec-signzone
15m
10m
4w
15m)
$INCLUDE ksk.key
$INCLUDE zsk.key
NS ns.example.jp.
ns A 10.2.0.18
foo A 10.20.30.40
HINFO VMware FreeBSD
--------------------------------------------------
# signed zone data around "foo.example.jp":
foo.example.jp. 60 IN A 10.20.30.40
60 RRSIG A 5 3 60 20090220070924 (
20090106070924 13872 example.jp.
XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9
QbMSK8SNWCIkoTIpu/VNr6pk7bztEXPCLWWF
GWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfA
v/2cz7GCmFExsEuRhlCQ )
60 HINFO "VMware" "FreeBSD"
60 RRSIG HINFO 5 3 60 20090220070924 (
20090106070924 13872 example.jp.
YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLd
o1jphx4elWCHGmW+BWh3yZTM6iz3vNTDsksp
1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8I
U1s8GYlyyx6NWEDRSi11 )
900 NSEC ns.example.jp. A HINFO RRSIG NSEC
900 RRSIG NSEC 5 3 900 20090220070924 (
20090106070924 13872 example.jp.
UDV79onp1LJjPW2qOeh8CJnDwxdnBDr5TAqx
20YePlbVgUQDAK6himevg605SxfNULrnGH3i
3eEaG8B//5zh7YOEdNNDDsNS3qMzRLAK9FcV
QzPh0O0wvux8BqWNYR98 )
--------------------------------------------------
# output of dig via unbound:
Script started on Tue Jan 6 17:20:12 2009
k...@vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44138
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp. IN HINFO
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 6 17:20:26 2009
;; MSG SIZE rcvd: 43
k...@vm1[2]% dig +dnssec @127.0.0.1 foo.example.jp A
; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp. IN A
;; ANSWER SECTION:
foo.example.jp. 60 IN A 10.20.30.40
foo.example.jp. 60 IN RRSIG A 5 3 60 20090220070924
20090106070924 13872 example.jp.
XVEbPz8vAVUg5xIAEJ9qPgI0iziEinvGpmB9QbMSK8SNWCIkoTIpu/VN
r6pk7bztEXPCLWWFGWEIdi2lN+8Scoeq3BaqAZTu+3NlLVR4XLfAv/2c z7GCmFExsEuRhlCQ
;; AUTHORITY SECTION:
example.jp. 60 IN NS ns.example.jp.
example.jp. 60 IN RRSIG NS 5 2 60 20090220070924
20090106070924 13872 example.jp.
cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3
H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
;; ADDITIONAL SECTION:
ns.example.jp. 60 IN A 10.2.0.18
ns.example.jp. 60 IN RRSIG A 5 3 60 20090220070924
20090106070924 13872 example.jp.
Czz86H3IEVaBSn3MtoBuJPLIh4+9wFXY7lWIgzJPQ6bBOTzLEVAu2YQb
Xz03WVXrn16M96/EYx1IeKPo7yhRK75JBZiQCqee+6EDbFd5j9W52lTW HULpVxuuykPfysv3
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 6 17:20:37 2009
;; MSG SIZE rcvd: 506
k...@vm1[3]% exit
Script done on Tue Jan 6 17:20:39 2009
--------------------------------------------------
# output of dig via named:
Script started on Tue Jan 6 17:19:00 2009
k...@vm1[1]% dig +dnssec @127.0.0.1 foo.example.jp HINFO
; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 foo.example.jp HINFO
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57200
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.example.jp. IN HINFO
;; ANSWER SECTION:
foo.example.jp. 60 IN HINFO "VMware" "FreeBSD"
foo.example.jp. 60 IN RRSIG HINFO 5 3 60 20090220070924
20090106070924 13872 example.jp.
YUhRwiZF8O8pU/yFZAeGRwiydFNIsLgHrVLdo1jphx4elWCHGmW+BWh3
yZTM6iz3vNTDsksp1qTuHHVpPsBCRO5u3sb1Q2u7ahxT4wq1vy8IU1s8 GYlyyx6NWEDRSi11
;; AUTHORITY SECTION:
example.jp. 60 IN NS ns.example.jp.
example.jp. 60 IN RRSIG NS 5 2 60 20090220070924
20090106070924 13872 example.jp.
cci1b3UmL83L6Hwww+Iyxrp8x7d99WILt06c7i408zYTnPXZuc1TW/G3
H474aPsIBvzSnvhPqd8i4DgoNFGfEWPuSDA3WfIHIUAu5olHiirbihVt HO8bJZmSO8ZI3xGH
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 6 17:19:18 2009
;; MSG SIZE rcvd: 363
k...@vm1[2]% exit
Script done on Tue Jan 6 17:19:20 2009
--------------------------------------------------
# output of unbound:
Script started on Tue Jan 6 17:19:43 2009
k...@vm1[1]% /usr/bin/su
Password:
vm1# /proj/unbound-1.1.1/sbin/unbound -d -v
[1231229999] unbound[28416:0] notice: Start of unbound 1.1.1.
[1231229999] unbound[28416:0] notice: init module 0: validator
[1231229999] unbound[28416:0] notice: init module 1: iterator
[1231229999] unbound[28416:0] notice: openssl has no entropy, seeding with time
and pid
[1231229999] unbound[28416:0] info: start of service (unbound 1.1.1).
[1231230026] unbound[28416:0] info: resolving <foo.example.jp. HINFO IN>
[1231230026] unbound[28416:0] info: priming . IN NS
[1231230026] unbound[28416:0] info: response for <. NS IN>
[1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: priming successful for <. NS IN>
[1231230026] unbound[28416:0] info: response for <foo.example.jp. HINFO IN>
[1231230026] unbound[28416:0] info: reply from <.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: prime trust anchor
[1231230026] unbound[28416:0] info: resolving <example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: response for <example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
[1231230026] unbound[28416:0] info: query response was ANSWER
[1231230026] unbound[28416:0] info: validate keys with anchor(DNSKEY):
sec_status_secure
[1231230026] unbound[28416:0] info: Successfully primed trust anchor
<example.jp. DNSKEY IN>
[1231230026] unbound[28416:0] info: Validate: message contains bad rrsets
[1231230037] unbound[28416:0] info: resolving <foo.example.jp. A IN>
[1231230037] unbound[28416:0] info: response for <foo.example.jp. A IN>
[1231230037] unbound[28416:0] info: reply from <example.jp.> 10.2.0.18#53
[1231230037] unbound[28416:0] info: query response was ANSWER
[1231230037] unbound[28416:0] info: validate(positive): sec_status_secure
[1231230037] unbound[28416:0] info: validation success <foo.example.jp. A IN>
^C[1231230041] unbound[28416:0] info: service stopped (unbound 1.1.1).
[1231230041] unbound[28416:0] info: server stats for thread 0: 2 queries, 0
answers from cache, 2 recursions
[1231230041] unbound[28416:0] info: server stats for thread 0: requestlist max
0 avg 0 exceeded 0
[1231230041] unbound[28416:0] info: mesh has 0 recursion states (0 with reply,
0 detached), 0 waiting replies, 2 recursion replies sent, 0 replies dropped, 0
states jostled out
[1231230041] unbound[28416:0] info: average recursion processing time 0.001426
sec
[1231230041] unbound[28416:0] info: histogram of recursion processing times
[1231230041] unbound[28416:0] info: [25%]=0 median[50%]=0 [75%]=0
[1231230041] unbound[28416:0] info: lower(secs) upper(secs) recursions
[1231230041] unbound[28416:0] info: 0.000512 0.001024 1
[1231230041] unbound[28416:0] info: 0.002048 0.004096 1
vm1# exit
exit
k...@vm1[2]% exit
Script done on Tue Jan 6 17:20:45 2009
--------------------------------------------------
# unbound.conf:
server:
do-ip6: no
chroot: /proj/unbound
root-hints: fake-root
username: bind
logfile: ""
pidfile: /var/run/unbound.pid
# trust-anchor-file: trust-anchor/dsset-example.jp.
# trust-anchor-file: trust-anchor/keyset-example.jp.
trusted-keys-file: trusted-keys/example.jp
remote-control:
control-enable: yes
--------------------------------------------------
If any other information is required, please let me known.
Don't ask the reason why I wish to use HINFO today :-p
Thanks in advance.
Koh-ichi Ito
Internet Research Institute, Inc.
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
