-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Cathy,
No, I am wrong: both the source and destination zone are signed, and hence the results validate and the AD flag is set. The response is fine. Best regards, Wouter On 07/12/2011 12:21 PM, W.C.A. Wijngaards wrote: > Hi Cathy, > > That message is in error (just like Unbound, but wrong the other way). > Because the TXT record is not signed, the result should have been sent > without the AD flag. (CNAME sequence from signed to unsigned zone > becomes insecure). Something that could well be reported to the ISC people. > > Best regards, > Wouter > > On 07/12/2011 11:40 AM, Cathy Zhang wrote: >> hi Wouter, >> thanks a lot for your answer. but i can get the following response >> from bind recursor: >> there is 'ad' flag. so i wonder whether the validation should be >> 'pass' or 'failed'. >> ----------------------------------------------- >> dig foo.dname2.example. any @10.53.0.4 +dnssec > >> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.4 +dnssec >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22482 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 > >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;foo.dname2.example. IN ANY > >> ;; ANSWER SECTION: >> dname2.example. 81 IN DNAME dname2-target.example. >> dname2.example. 81 IN RRSIG DNAME 3 2 300 >> 20110811002909 20110712002909 41604 example. >> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM= >> foo.dname2.example. 81 IN CNAME foo.dname2-target.example. >> foo.dname2-target.example. 3381 IN RRSIG NSEC 3 3 3600 >> 20110811002909 20110712002909 41604 example. >> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s= >> foo.dname2-target.example. 3381 IN NSEC dynamic.example. TXT RRSIG >> NSEC >> foo.dname2-target.example. 81 IN RRSIG TXT 3 3 300 >> 20110811002909 20110712002909 41604 example. >> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE= >> foo.dname2-target.example. 81 IN TXT "testing dname" > >> ;; Query time: 1 msec >> ;; SERVER: 10.53.0.4#53(10.53.0.4) >> ;; WHEN: Tue Jul 12 17:30:06 2011 >> ;; MSG SIZE rcvd: 403 > > >> 2011/7/12, W.C.A. Wijngaards <[email protected]>: >> Hi Cathy, > >> Unbound follows the DNAME when answering the ANY query, like Luo Ce has >> reported. But, in this case, it is confused by the unsigned target and >> thus unsigned data that appears in the ANY response. > >> There are two roads to solution. Unbound can stop following CNAME and >> DNAME if the qtype is ANY. Unbound can learn that ANY responses may >> contain CNAME and DNAME and thus also target zone contents and validate >> that. > >> Best regards, >> Wouter > > >> On 07/12/2011 04:45 AM, Cathy Zhang wrote: >>>>> unbound responds with status SERVFAIL for request 'dig >>>>> foo.dname2.example. any +dnssec'. I think it means unbound failed to >>>>> validate the data and i found such statements in log: >>>>> 12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example. >>>>> TYPE0 CLASS0> >>>>> would it be 'example' the signer instead of 'foo.dname2.example'? >>>>> >>>>> here is the response for request with cd bit set >>>>> $ dig foo.dname2.example. any @10.53.0.8 +cdflag >>>>> >>>>> ; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag >>>>> ;; global options: +cmd >>>>> ;; Got answer: >>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226 >>>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2 >>>>> >>>>> ;; QUESTION SECTION: >>>>> ;foo.dname2.example. IN ANY >>>>> >>>>> ;; ANSWER SECTION: >>>>> dname2.example. 300 IN DNAME dname2-target.example. >>>>> dname2.example. 300 IN RRSIG DNAME 3 2 300 >>>>> 20110811002909 20110712002909 41604 example. >>>>> BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM= >>>>> foo.dname2.example. 0 IN CNAME foo.dname2-target.example. >>>>> foo.dname2-target.example. 300 IN TXT "testing dname" >>>>> foo.dname2-target.example. 300 IN RRSIG TXT 3 3 300 >>>>> 20110811002909 20110712002909 41604 example. >>>>> BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE= >>>>> foo.dname2-target.example. 3600 IN NSEC dynamic.example. TXT RRSIG >>>>> NSEC >>>>> foo.dname2-target.example. 3600 IN RRSIG NSEC 3 3 3600 >>>>> 20110811002909 20110712002909 41604 example. >>>>> BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s= >>>>> >>>>> ;; AUTHORITY SECTION: >>>>> example. 300 IN NS ns2.example. >>>>> example. 300 IN NS ns3.example. >>>>> >>>>> ;; ADDITIONAL SECTION: >>>>> ns2.example. 300 IN A 10.53.0.2 >>>>> ns3.example. 300 IN A 10.53.0.3 >>>>> >>>>> ;; Query time: 92 msec >>>>> ;; SERVER: 10.53.0.8#53(10.53.0.8) >>>>> ;; WHEN: Tue Jul 12 09:38:11 2011 >>>>> ;; MSG SIZE rcvd: 474 >>>>> _______________________________________________ >>>>> Unbound-users mailing list >>>>> [email protected] >>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>> > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOHCDFAAoJEJ9vHC1+BF+NRsEP/1LtnX9a8uyF4WhXsFoCEFJM zMPF8hfMFAr8uBu2RICGFSm7/Iof6XpsKNTDR8Nhl6yXhoQiFdohpQ+QfZEnwlIb pfomJTQsnEYQYjiY8kiCIgmskArxQiRbtMcV+1iDpV0q5zsvZ1nXaCH+EWvVCkkk 0/WcNQz9KzUCQni6LW2OAGw+3CXZy38EeSHolP1fE010mUGAJltc8DL8B8eDylvJ Szad1TmIKJn1IEkRSn+CP5AjcMgFowl7RQx65nC+1vf18B6jk52g5n2gMpnD/iSs XASuhLuqZdys8GeRbPfoZaaQxE9pCdQ5GcdQIe0TD/mgfmPNVQgJRntPc8CRr1ED AsGV+ggq4oBFgmQyeeRij5gXe2rds/1Qxtt6V8jEHw9g03jJDmAcktIxGheHuFmy UqRSwEqekbJwQjxlOUqwGzcWXkNUhXZjSBUKkTgDyiiG37eoMu0x8HGHXCvrVJfz aVv9Z4PRy4n0b0QM6AKRpTKK6r+gkWLnZBtXd8Okse1YSpvH1X7ibtXG8OKfb2te O7J1Y5ddVEJUzZB6W9xJbYO/133ygBOtBx81MNKxkOtavd/wN4mbfzwRctanF+aa U26BPPVFbq/mVp7WIuR+t7JoG2LWp+myULZECOTXEUglggxhgUnl3HlqfPkkfTl0 Ex7Yo3j6iwKWMr7u90JL =IPBs -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
