I put in an A record for "badsig.dane.xelerance.com." with the intension putting a bad "dane TLSA" record in there. So contrary to the name, the RRSIG for "badsig" is fine.
But unbound (1.4.8) gives me : [paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com. ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14663 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;badsig.dane.xelerance.com. IN A ;; AUTHORITY SECTION: xelerance.com. 1843 IN SOA ns1.xelerance.net. hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600 xelerance.com. 1843 IN RRSIG SOA 5 2 3600 20110505082418 20110412193207 52862 xelerance.com. AjMgXLIoxiKF96CuFAi1xIKDBOmUSj1gDUP8x6IA/dupfBfSf2IJ7vZB r1Mk9l3dSlvfGqWrKZoAkb7hBe65aVdxWPNF/haBHycteofzXBLp48C4 ur06uhu6JgFT6lK40xEYV40O+3TPOgtiMyThSdZhUxHbQT4hN826+QXu ZCk= _443._tcp.dane.xelerance.com. 1537 IN NSEC _443._tcp.badsig.dane.xelerance.com. RRSIG NSEC TYPE65468 _443._tcp.dane.xelerance.com. 1537 IN RRSIG NSEC 5 5 3600 20110508195703 20110412150206 52862 xelerance.com. S29Q/B0lQXq5panQv0utkdluaNzHZ2bYhqjrxQDb5QBv8KOn5WpwxG+c 5ZPBJPLIM7pVcheb88VjLaybUSfDygeazrz0kucF1XW+N8mvqbGLA8bF 4NtYD/GcBAzq6zaDFkq5azPp42zLlmROyUlxbHGQr2xBOd0QL8lu7Pzt nx4= ;; Query time: 115 msec ;; SERVER: 193.110.157.136#53(193.110.157.136) ;; WHEN: Tue Apr 12 17:03:32 2011 ;; MSG SIZE rcvd: 557 So this tells me the record does not exist. But when I do an ANY query: [paul@bofh pri]$ dig +dnssec any badsig.dane.xelerance.com. ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec any badsig.dane.xelerance.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50885 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;badsig.dane.xelerance.com. IN ANY ;; ANSWER SECTION: badsig.dane.xelerance.com. 3505 IN A 193.110.157.151 badsig.dane.xelerance.com. 3505 IN RRSIG A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0= badsig.dane.xelerance.com. 3505 IN NSEC _443._tcp.badsig.dane.xelerance.com. A RRSIG NSEC badsig.dane.xelerance.com. 3505 IN RRSIG NSEC 5 4 3600 20110507165524 20110412193207 52862 xelerance.com. MBZf648QzxlK3iGVG9rIEbMaPfHVYX3cF/NdsJpUmNAue8UyES5XqXM2 7+fvNhMhWLNfzjR0uek+H0L/KDqmsETziiV+4P7W90/kdvyk23b6E0+l F8f9o1cjbpWS6NgzdLYl3u6xE3mIedg8Zj94yUkDO7IPg8wG9DWKPrIY Lbw= ;; AUTHORITY SECTION: xelerance.com. 1222 IN NS ns0.xelerance.nl. xelerance.com. 1222 IN NS ns1.xelerance.net. xelerance.com. 1222 IN NS ns2.xelerance.org. xelerance.com. 1222 IN NS ns3.xelerance.com. xelerance.com. 1222 IN RRSIG NS 5 2 3600 20110504211948 20110407132406 52862 xelerance.com. GFOJpCG0wnC65zdaKU3wBab3H9yACG84B+47jXdfGigcspDx8Ro8+qGH daQCVQLTZP92f549qA5j3JnwqmISQIUyaF7acDGY+1h65G9xyZCt7xNV X7bLPXLQbJ63OMkAYG00+tyg6tAtxLLStvOCsbVTfvUkCm5M5VhbaDJM jQE= ;; ADDITIONAL SECTION: ns3.xelerance.com. 1222 IN A 65.18.175.19 ns3.xelerance.com. 1222 IN AAAA 2607:f7d0:403:1::1 ns3.xelerance.com. 1222 IN RRSIG A 5 3 3600 20110505112452 20110411195206 52862 xelerance.com. SidtyN0Jp51ftbmTB6U4euk/BtTiP8u3bNz6KfnYUmJCc++LPdgc0Bxa +0JCXzw0nkZUWBdBOTfuiBw+Xiz7S1Nw0FPtVdXegj/E/1VQPzaWguiA aFYRVB3tKwSc9swNGacdGmuGYmTJIT/174dfgVmSKfHzSrm15BK2O+S6 Y/I= ns3.xelerance.com. 1222 IN RRSIG AAAA 5 3 3600 20110430162655 20110405051806 52862 xelerance.com. l+dlkSzDLwGYeic3azZEJijlP6CGNA9syaUj9B5UdTlsMTNU1arhO26s Dwg3PQjK/OcyXWAopjKLkbvX8+LL3+IU7H5VnRca6+EVxH/jkjqm52U/ lMJSSuCjDob31TXH9zR9bJcnA7noLFgcQQm653PZea7GwKQE1r1gxVoP KI4= ;; Query time: 116 msec ;; SERVER: 193.110.157.136#53(193.110.157.136) ;; WHEN: Tue Apr 12 17:03:40 2011 ;; MSG SIZE rcvd: 1146 Now it exists? Note that nsd is serving the record fine: [paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec a badsig.dane.xelerance.com. @ns0.xelerance.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61386 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;badsig.dane.xelerance.com. IN A ;; ANSWER SECTION: badsig.dane.xelerance.com. 3600 IN A 193.110.157.151 badsig.dane.xelerance.com. 3600 IN RRSIG A 5 4 3600 20110505101649 20110412193207 52862 xelerance.com. nal4M2CFZCFpYD8fGdM2UN/nVhoI6W7wbKSx7IfqR6hHu6GyEnFckG7I IGgOUeKW69vVk19ZpNcxZFCPjxjjOizLdbn5ZpzmiPwKLrYMt9rVb740 /Wm3Um69tyP79DiNFFdx1j02C6jL8DAGhpFlHaTDL5YxTQadUDyQy7hj qH0= I have a copy of the cache at the time, and an unbound-host output if that would help After restarting unbound, the record worked as expected. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
