-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Cathy,
Unbound follows the DNAME when answering the ANY query, like Luo Ce has reported. But, in this case, it is confused by the unsigned target and thus unsigned data that appears in the ANY response. There are two roads to solution. Unbound can stop following CNAME and DNAME if the qtype is ANY. Unbound can learn that ANY responses may contain CNAME and DNAME and thus also target zone contents and validate that. Best regards, Wouter On 07/12/2011 04:45 AM, Cathy Zhang wrote: > unbound responds with status SERVFAIL for request 'dig > foo.dname2.example. any +dnssec'. I think it means unbound failed to > validate the data and i found such statements in log: > 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example. > TYPE0 CLASS0> > would it be 'example' the signer instead of 'foo.dname2.example'? > > here is the response for request with cd bit set > $ dig foo.dname2.example. any @10.53.0.8 +cdflag > > ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2 > > ;; QUESTION SECTION: > ;foo.dname2.example. IN ANY > > ;; ANSWER SECTION: > dname2.example. 300 IN DNAME dname2-target.example. > dname2.example. 300 IN RRSIG DNAME 3 2 300 > 20110811002909 20110712002909 41604 example. > BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM= > foo.dname2.example. 0 IN CNAME foo.dname2-target.example. > foo.dname2-target.example. 300 IN TXT "testing dname" > foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300 > 20110811002909 20110712002909 41604 example. > BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE= > foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG > NSEC > foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600 > 20110811002909 20110712002909 41604 example. > BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s= > > ;; AUTHORITY SECTION: > example. 300 IN NS ns2.example. > example. 300 IN NS ns3.example. > > ;; ADDITIONAL SECTION: > ns2.example. 300 IN A 10.53.0.2 > ns3.example. 300 IN A 10.53.0.3 > > ;; Query time: 92 msec > ;; SERVER: 10.53.0.8#53(10.53.0.8) > ;; WHEN: Tue Jul 12 09:38:11 2011 > ;; MSG SIZE rcvd: 474 > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOG/OkAAoJEJ9vHC1+BF+NK5UQAKC+N5cLRrf8i/ZRSkfQntb9 Oq8FSHzp3Hz+vBW10Q0HRxp3T6paCvEu/5eqYqlCiJJdUFPTk4icG3wOBOH7zXyj rI95P9n4V1gEfUxg10gK1IlLFD8jgN485zhZdQS07Zs8FJjsUqHjpLITo4qO445v q4BRWbm4ttMbyTOAxw/dh9g41QrpqsEYPdEGcMmtDCEltTpuD8xJB+GGO/3j/V1A G7sm73vm0J1K8c0DW5/3Dztr/+nGTDUynNL+tvWwBOliZYHch3k4U5rE7rcuxSH0 s0r//PbKAkU2hXh1tsStnKzq2eUCHo9dxIQhHte60otvmsoshHjY4yjtMiIFi2pp G0pVD4+uEphuHuCdWq8LmP6h0bkx4v6m4I9oMp2DGCXA5AFkhVHBmrxTXvTaPYY6 h0eobzhiSqklyUlPeZklW/OYsrjJ3leGxXZiJE1pq0SDQX8Lt8z5QudCjDWhA01T v6CIZCp7mtW1bFATgVPUA+cKLAhjdAaea0z63VEFVT5WxsAhsdaW0Z04zRrZTAxb OKkEfekuCq9Rgo4JRtcgHBppuBWAhHr5zCD7TT9kOk7J9QZb4OkLclnC2xQxJJip NSvZ4FCYxsQuDt2QHkRcDyBgknll6jPFnFQKKpksP946yy9VZCCLuMJtqQBGS0C7 D2KKFScj1x0hhOG24eA/ =0D3H -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
