Hi. I have a case here where RRSIGs expired, yet Unbound still sets the "AD" flag in responses. The records have a TTL of 2 days, so I think the signatures expired while in the cache and Unbound did not revalidate them before handing out the answer.
I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour permitted by the standard or is it a bug in Unbound? Installed version is svn rev. 2406. > ; <<>> DiG 9.8.0rc1 <<>> +dnssec mixmaster.mixmin.net mx @10.42.22.8 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13580 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 65432 > ;; QUESTION SECTION: > ;mixmaster.mixmin.net. IN MX > > ;; ANSWER SECTION: > mixmaster.mixmin.net. 18287 IN MX 10 snorky.mixmin.net. > mixmaster.mixmin.net. 18287 IN RRSIG MX 5 3 172800 20110328161855 > 20110226161855 58161 mixmin.net. > xIOOe273z9oJb6EM4l0/KzqrYYXUHUbQRP89U1GMjyJ/hYdNhRZGzCj2 > RcRx21v3hjL+1F9KCc280MqXUo6FGKUBC4ZQ09geQ5dkHEesXi8Cwoo1 > QcETDvSmTR3/PN0Bz/Ho77m/+7DgrV6dRexABBpTWNYio+OBO8kCR1+y iq0= > > ;; AUTHORITY SECTION: > mixmin.net. 16906 IN NS asteria.debian.or.at. > mixmin.net. 16906 IN NS snorky.mixmin.net. > mixmin.net. 16906 IN NS fleegle.mixmin.net. > mixmin.net. 16906 IN RRSIG NS 5 2 172800 20110328161855 > 20110226161855 58161 mixmin.net. > ezh+yZwfiaI7D9j0m5cV2nhVb7SLPpx3OJymq7GyjT/q3foKCBTUNq5A > CqQP5c/ewSenV2uFeDVhQLaeldT6O6Sv+V+Wa+OU7Xc6qFE4IXjM4+Uv > DjUhk+e/kV81Gh+I3Z5AvmQ9/H5dTCno6HBp/lzoDj/iU11tcWw3cnK+ K2w= > > ;; ADDITIONAL SECTION: > snorky.mixmin.net. 16906 IN A 188.40.76.149 > snorky.mixmin.net. 16906 IN AAAA 2a01:4f8:100:5243::3 > fleegle.mixmin.net. 16906 IN A 82.133.6.118 > fleegle.mixmin.net. 16906 IN AAAA 2002:5285:676::1 > snorky.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 > 20110226161855 58161 mixmin.net. > 5+XnM1ATswU8jCbVfEv8YXGbJV2XPH3bbLmNwHCe5Kr+WmMTZ4T/+udL > 8fwh/TxDnEDTj5/MZOC5C/7z1/FbPwzkBU5sYWezLnCNrq7IyWr7WlHe > nZBu47J48xQuTz1Ag74mCIBUNfEvZ72TPnjEr5X+O1wDfSfcCFOP4nYB sJE= > snorky.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 > 20110328161855 20110226161855 58161 mixmin.net. > y5a5ai11w1lERhTwlXGj8pcACFSuvcQcKokFHQ/fVBO5b30BKRs2rQ6P > n37RO0p9WfcXgYg3Exhv6ae9FyPfbAjHwmGFCr/wl5MJN1s24DG9aj2b > L/Rf+AK+Vunyjg4GXYLBZVaC59CZNef/gXlSFquh9RKKwcjVMI8/HM0j JYQ= > fleegle.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 > 20110226161855 58161 mixmin.net. > 5aglAu0Q61hTr+8lpJk2zWt6XJ9U7sO2Vl6tktDTh4ywr3JR/CrbnzRS > jeOO0ZOPopXenSUayQ7t5q7LP2wD2giP9YSWsrFXZBZ0a2po5vkxCsCg > aY6LKNPK6tXV2uuZWw0s4XOwC0y7HZ6W2j8atovfVrghtx8Tn0gkL7V0 uVA= > fleegle.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 > 20110328161855 20110226161855 58161 mixmin.net. > XZWrf/dDj1RgG3cAXBB2oTKgi0tqAkJf4q8lNc0l2i/eqSYiaZAEHEgC > RmRVG4W+GmSrb5vp49NCATcCFDe/vmHH9TlN60hQVFkdj6P3i8t/2TxC > M9EUtCeX0prPCNuZpJeLYBuXU03hFEnyUag3td6mgW9pCSGaW4c3nxR5 tZo= > > ;; Query time: 25 msec > ;; SERVER: 10.42.22.8#53(10.42.22.8) > ;; WHEN: Wed Mar 30 13:39:12 2011 > ;; MSG SIZE rcvd: 1250 Hauke. _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
