-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sebastian,
On 02/23/2011 06:01 AM, Sebastian Castro wrote: > Hi: > > I'm setting up Unbound to do DNSSEC validation but for zones signed in a > lab environment. > > Currently the configuration says: > > server: > verbosity: 2 > interface: 192.168.22.187@53053 > port: 53 > do-ip4: yes > do-ip6: no > access-control: 192.168.2.0/24 allow > access-control: 192.168.22.0/24 allow > access-control: 192.168.157.22/32 allow > access-control: 192.168.159.20/32 allow > access-control: 172.0.0.0/8 allow > chroot: "" > logfile: "/var/log/unbound.log" > use-syslog: no > log-time-ascii: yes > trust-anchor-file: "/opt/etc/unbound/ta.txt" > val-log-level: 2 > stub-zone: > name: "parent" > stub-addr: A.B.C.D@53 > stub-prime: no Here needs to be another stub-zone: line to start another stub-zone. > name: "child1.parent" > stub-addr: A.B.C.D@53 > stub-prime: no > > A.B.C.D is serving a signed zone for parent and child1.parent with valid > data (sig chasing with dig or drill works). > > If I try querying Unbound for <SOA, parent>, I get an answer but no AD bit. You have to use +dnssec to get the AD bit on the reply. If the signature failed you would not get a reply, so I think it validated. > > dig soa parent @192.168.22.187 -p 53053 > > > If we query for <SOA, child1.parent> we get SERVFAIL. The validation log > shows it's using the stub for <SOA, child1.parent> and for <DS, > child1.parent>, but it's using the NS records from the zone (which don't > have a signed zone) to look for the DNSKEY, breaking the validation. I think the config above may be nicer, but this description could be some other trouble perhaps, I assume it means it is confused by the lack of a stub-zone: label creating a new stub-zone entry (and the settings simply override the name and add an address.) > Based on this message from the mailing list > http://www.unbound.net/pipermail/unbound-users/2008-October/000240.html > I thought when specifying the port in the stub-addr option the NS > records will be ignored, but I'm wrong. > > I also tried adding as local-data the names of the nameservers for the > zone pointing to the authoritative nameserver serving the signed zone, > but it didn't work. It looks like this: > > local-data: "ns1.parent A A.B.C.D" > local-data: "ns2.parent A A.B.C.D" > > So, Has anyone tried this in a lab to test validation? > Any suggestions to make it work as intended? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ksR0ACgkQkDLqNwOhpPgVewCbBry+Lmi/fVjS26cCLcvaUEwT 35cAn0FmvszI+5XptRuFszcSpafB6j1k =dDi+ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
