Hi Cyril,
It looks like your version of dig is very old. The TYPE46 RR is actually an RRSIG. Since dig doesn't recognize that, it may not recognize the AD flag either. Jan. From: [email protected] [mailto:[email protected]] On Behalf Of Cyril Benedict Sent: Friday, May 20, 2011 1:51 PM To: unbound-users Subject: [Unbound-users] Issue in DNSSEC Hi All, I am new to unbound DNS. I have installed unbound DNS in windows machine. Normal queries were working fine without DNSSEC. But, when I tried to enable DNSSEC and validate the queries, its not working. I expect the flag AD bit to set in my response. Here below is my unbound.conf file, # Unbound configuration file on windows. # See example.conf for more settings and syntax server: verbosity: 1 statistics-interval: 30 num-threads: 1 interface: 0.0.0.0 # enable cumulative statistics, without clearing them after printing. statistics-cumulative: yes # enable extended statistics (query types, answer codes, status) # printed from unbound-control. default off, because of speed. extended-statistics: yes outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 16m rrset-cache-size: 32m msg-cache-slabs: 4 rrset-cache-slabs: 4 cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 infra-cache-numhosts: 10000 infra-cache-lame-size: 10k do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes access-control: 0.0.0.0/0 allow access-control: 192.168.1.0/24 allow access-control: 172.16.0.0/12 allow access-control: 10.0.0.0/8 allow access-control: 127.0.0.0/8 allow #access-control: 0.0.0.0/0 refuse #chroot: "/etc/unbound" #username: "unbound" #directory: "/etc/unbound" logfile: "C:\unbound.log" #use-syslog: yes #logfile: "" #use-syslog: no #pidfile: "/etc/unbound/unbound.pid" root-hints: "C:\Program Files\Unbound\named.cache" server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" val-log-level: 2 # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. # Note this gets out of date, use auto-trust-anchor-file please. #trust-anchor-file: "" # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. harden-dnssec-stripped: yes identity: "DNS" version: "1.4" hide-identity: yes hide-version: yes harden-glue: no do-not-query-address: 127.0.0.1/8 do-not-query-localhost: yes module-config: "validator iterator" ----------------------------------- When i ran the dig, I got the below output, C:\dig>dig com. SOA +dnssec +multiline ; <<>> DiG 9.2.3 <<>> com. SOA +dnssec +multiline ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;com. IN SOA ;; ANSWER SECTION: com. 878 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. ( 1305905047 ; serial 1800 ; refresh (30 minutes) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) com. 878 IN TYPE46 \# 151 ( 00060801000003844DDFC2174DD6772F8 F6903636F6D 00B4491B54F5987CC2C80ED4C6C94F9AD856EB1BE3C1 34ACFD6AFA9651BCC29B4206C28F27FA342EA7A6EF38 24D06F2F3E88567E3C33836D81A6261B1012C9B66FC4 E6059621CF5F23AA3922120B2DA8351C7B64E682632F 33CB1DA9F2259F6CAA1CCD61446823FFB33C1CE5ECB1 3EBBED00281030ECEB97A331ECC0802DF9D889 ) ;; AUTHORITY SECTION: com. 172778 IN NS a.gtld-servers.net. com. 172778 IN NS c.gtld-servers.net. com. 172778 IN NS j.gtld-servers.net. com. 172778 IN NS m.gtld-servers.net. com. 172778 IN NS l.gtld-servers.net. com. 172778 IN NS d.gtld-servers.net. com. 172778 IN NS b.gtld-servers.net. com. 172778 IN NS e.gtld-servers.net. com. 172778 IN NS f.gtld-servers.net. com. 172778 IN NS k.gtld-servers.net. com. 172778 IN NS i.gtld-servers.net. com. 172778 IN NS g.gtld-servers.net. com. 172778 IN NS h.gtld-servers.net. com. 172778 IN TYPE46 \# 151 ( 000208010002A3004DDB30F54DD1E6 0D8F6903636F6D 0016A2B11A350932CEAF7999FE7BFB82DF31A1B4EBB0 3BB0F3C15E2D68C0568C3F2EEF8A7BC734C92FA5BA7F 18D64BF478942AA5436AABF08D66342720D103B292A4 D60A876FC6AE1D0FF23C15BDE9C4D3485FC1480DBAE8 2BC6A27C67E280A1836FB869850194F851CF53A1D7EB F238FA9705E052D80311D0C31AE491255BCBB3 ) ;; Query time: 15 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 20 20:54:59 2011 ;; MSG SIZE rcvd: 637 My root.key file is below after updating the file using unbound-anchor, ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1305905315 ;;Fri May 20 20:58:35 2011 ;;last_success: 1305905315 ;;Fri May 20 20:58:35 2011 ;;next_probe_time: 1305944244 ;;Sat May 21 07:47:24 2011 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 XXXXXXXXXXXXXXXXXX Please advice me for any documentation which will help me to resolve the issue. It will be greatful, if someone point out the problem. Thanks in advance. Thanks, Cyril.
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
