[Unbound-users] Forwarding failing when DNSSec is enabled

Wed, 01 Jul 2009 09:04:02 -0700 

Hi,





Without DNSSec, forwarding is working fine. With DNSSec enabled (I am
using DLV), forwarding fails when I forward my querries to a server
that isn't dnssec enabled. 

 The output from the log looks like this:



[1246456813] unbound[7919:0] info: validator operate: query <dlv.isc.org.. 
DNSKEY IN>

[1246456813] unbound[7919:0] debug: validator: nextmodule returned

[1246456813] unbound[7919:0] debug: not validating response due to CD bit

[1246456813] unbound[7919:0] debug: mesh_run: validator module exit state is 
module_finished

[1246456813] unbound[7919:0] info: validator: inform_super, sub is 
<dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] info: super is <mail.google.com.dlv.isc.org.. DLV 
IN>

[1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack of 
signatures

[1246456813] unbound[7919:0] debug: verify result: sec_status_bogus

[1246456813] unbound[7919:0] info: validate keys with anchor(DNSKEY): 
sec_status_bogus

[1246456813] unbound[7919:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <dlv.isc.org. DNSKEY IN>

[1246456813] unbound[7919:0] debug: validator[module 0] operate: 
extstate:module_wait_subquery event:module_event_pass

[1246456813] unbound[7919:0] info: validator operate: query 
<mail.google..com.dlv.isc.org. DLV IN>

[1246456813] unbound[7919:0] debug: val handle processing q with state 
VAL_VALIDATE_STATE

[1246456813] unbound[7919:0] info: processValidate: state has no signer name 
<mail.google.com.dlv.isc.org. DLV IN>

[1246456813] unbound[7919:0] info: Could not establish validation of INSECURE 
status of unsigned response.

[1246456813] unbound[7919:0] debug: val handle processing q with state 
VAL_FINISHED_STATE



The failure appears because of a signature mismatch. But why is
validation taking place when the actual resolver can't talk dnssec? My
config file looks like this:



server:

        verbosity: 5

        interface: 0.0.0.0

        port: 53

        do-ip4: yes

        do-ip6: yes

        do-udp: yes

        do-tcp: yes

        do-daemonize: yes

        access-control: 0.0.0.0/0 allow

        chroot: /etc/unbound

        username: ""

        directory: /etc/unbound/

        use-syslog: no

        pidfile: /var/run/unbound.pid

        root-hints: /etc/unbound/named.cache

        logfile: /etc/unbound/unbound.log

        dlv-anchor-file: dlv.isc.org.key

        forward-zone: 

            name: "."

              forward-addr: 68.87.68.170   

Is this the expected behaviour? or am I missing something here? Why can't the 
resolution  proceed when the forwarder (unbound) can talk dnssec and the actual 
resolver can't? 


thanks,
Harish






      
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Reply via email to