hi Wouter, thanks a lot for your answer. but i can get the following response from bind recursor: there is 'ad' flag. so i wonder whether the validation should be 'pass' or 'failed'. ----------------------------------------------- dig foo.dname2.example. any @10.53.0.4 +dnssec
; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;foo.dname2.example. IN ANY ;; ANSWER SECTION: dname2.example. 81 IN DNAME dname2-target.example. dname2.example. 81 IN RRSIG DNAME 3 2 300 20110811002909 20110712002909 41604 example. BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM= foo.dname2.example. 81 IN CNAME foo.dname2-target.example. foo.dname2-target.example. 3381 IN RRSIG NSEC 3 3 3600 20110811002909 20110712002909 41604 example. BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s= foo.dname2-target.example. 3381 IN NSEC dynamic.example. TXT RRSIG NSEC foo.dname2-target.example. 81 IN RRSIG TXT 3 3 300 20110811002909 20110712002909 41604 example. BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE= foo.dname2-target.example. 81 IN TXT "testing dname" ;; Query time: 1 msec ;; SERVER: 10.53.0.4#53(10.53.0.4) ;; WHEN: Tue Jul 12 17:30:06 2011 ;; MSG SIZE rcvd: 403 2011/7/12, W.C.A. Wijngaards <[email protected]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Cathy, > > Unbound follows the DNAME when answering the ANY query, like Luo Ce has > reported. But, in this case, it is confused by the unsigned target and > thus unsigned data that appears in the ANY response. > > There are two roads to solution. Unbound can stop following CNAME and > DNAME if the qtype is ANY. Unbound can learn that ANY responses may > contain CNAME and DNAME and thus also target zone contents and validate > that. > > Best regards, > Wouter > > > On 07/12/2011 04:45 AM, Cathy Zhang wrote: >> unbound responds with status SERVFAIL for request 'dig >> foo.dname2.example. any +dnssec'. I think it means unbound failed to >> validate the data and i found such statements in log: >> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example. >> TYPE0 CLASS0> >> would it be 'example' the signer instead of 'foo.dname2.example'? >> >> here is the response for request with cd bit set >> $ dig foo.dname2.example. any @10.53.0.8 +cdflag >> >> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226 >> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2 >> >> ;; QUESTION SECTION: >> ;foo.dname2.example. IN ANY >> >> ;; ANSWER SECTION: >> dname2.example. 300 IN DNAME dname2-target.example. >> dname2.example. 300 IN RRSIG DNAME 3 2 300 >> 20110811002909 20110712002909 41604 example. >> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM= >> foo.dname2.example. 0 IN CNAME foo.dname2-target.example. >> foo.dname2-target.example. 300 IN TXT "testing dname" >> foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300 >> 20110811002909 20110712002909 41604 example. >> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE= >> foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG >> NSEC >> foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600 >> 20110811002909 20110712002909 41604 example. >> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s= >> >> ;; AUTHORITY SECTION: >> example. 300 IN NS ns2.example. >> example. 300 IN NS ns3.example. >> >> ;; ADDITIONAL SECTION: >> ns2.example. 300 IN A 10.53.0.2 >> ns3.example. 300 IN A 10.53.0.3 >> >> ;; Query time: 92 msec >> ;; SERVER: 10.53.0.8#53(10.53.0.8) >> ;; WHEN: Tue Jul 12 09:38:11 2011 >> ;; MSG SIZE rcvd: 474 >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJOG/OkAAoJEJ9vHC1+BF+NK5UQAKC+N5cLRrf8i/ZRSkfQntb9 > Oq8FSHzp3Hz+vBW10Q0HRxp3T6paCvEu/5eqYqlCiJJdUFPTk4icG3wOBOH7zXyj > rI95P9n4V1gEfUxg10gK1IlLFD8jgN485zhZdQS07Zs8FJjsUqHjpLITo4qO445v > q4BRWbm4ttMbyTOAxw/dh9g41QrpqsEYPdEGcMmtDCEltTpuD8xJB+GGO/3j/V1A > G7sm73vm0J1K8c0DW5/3Dztr/+nGTDUynNL+tvWwBOliZYHch3k4U5rE7rcuxSH0 > s0r//PbKAkU2hXh1tsStnKzq2eUCHo9dxIQhHte60otvmsoshHjY4yjtMiIFi2pp > G0pVD4+uEphuHuCdWq8LmP6h0bkx4v6m4I9oMp2DGCXA5AFkhVHBmrxTXvTaPYY6 > h0eobzhiSqklyUlPeZklW/OYsrjJ3leGxXZiJE1pq0SDQX8Lt8z5QudCjDWhA01T > v6CIZCp7mtW1bFATgVPUA+cKLAhjdAaea0z63VEFVT5WxsAhsdaW0Z04zRrZTAxb > OKkEfekuCq9Rgo4JRtcgHBppuBWAhHr5zCD7TT9kOk7J9QZb4OkLclnC2xQxJJip > NSvZ4FCYxsQuDt2QHkRcDyBgknll6jPFnFQKKpksP946yy9VZCCLuMJtqQBGS0C7 > D2KKFScj1x0hhOG24eA/ > =0D3H > -----END PGP SIGNATURE----- > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
