On 21/03/2012 20:24, Augie Schwer wrote:
If anyone could help shed some light on why I'm seeing validation
failures for the ca.gov domain I would really appreciate it.
Unbound 1.4.16 -- started seeing these in the logs:
Mar 21 14:52:23 a unbound: [7326:0] info: validation failure
<www.ca.gov. A IN>: signatures from unknown keys from 134.186.254.247
The domain validates fine using http://dnsviz.net/d/ca.gov/dnssec/
And 'drill' on the same box validates the domain just fine, details
down below for clarity.
I've enabled "val-permissive-mode", so that I can continue to see
errors, but don't have to pull the server out of the pool.
Again, any help in figuring out what is going on would be greatly appreciated.
The first thing that jumps out is the domain is using 2 different DNSKEY
algorithms this increases possiblity of mistakes.
ALG 7 is in the record in parent with corresponding DNSKEY record
signing the DNSKEY, but the key for algorithm 7 that signs the
www.ca.gov A RRset is not in the DNSKEY RRset.
The key for algorithm 8 that signs the A RRset is in the DNSKEY RRset,
so my guess is that Unbound is favoring algorithm 7 as that is in the DS
set.
DS lists 7/59151
DNSKEY contains 7/59151 8/60459 validates
signed by 7/58151 8/60459 validates
SOA signed by 7/59151 8/60459 validates
NSEC signed by 7/22178 8/60459 SERVFAIL
A signed by 7/22178 8/60459 SERVFAIL
I think Unbound is right in rejecting the zone as algorithm 7 (the entry
point algorithm) chain is broken 22178 missing from DNSKEY set.
Other resolvers are on less stable ground saying that this setup is
validated but I will not call them wrong as they followed the Postel
principle.
In short a mistake by operator exposes difference in implementation
choices.
Olafur
--Augie
# drill -k /var/unbound/root.key -T ca.gov A
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 56158 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 51201 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
Trusted key: . 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8
AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
;{id = 56158 (zsk), size = 1024b}
Trusted key: . 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
Key is now trusted!
[T] gov. 86400 IN DS 53138 7 1 35d81501cc594683875872282fe73054cfe619de
gov. 86400 IN DS 53138 7 2
5aec256412bc1fec92b8fddb4493b585e9406541cf8c952bfe6e27acb3a20766
;; Domain: gov.
[T] gov. 86400 IN DNSKEY 256 3 7 ;{id = 35464 (zsk), size = 2048b}
gov. 86400 IN DNSKEY 256 3 7 ;{id = 23239 (zsk), size = 2048b}
gov. 86400 IN DNSKEY 257 3 7 ;{id = 53138 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: gov. 86400 IN DNSKEY 256 3 7
AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
;{id = 35464 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8
AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
;{id = 56158 (zsk), size = 1024b}
Trusted key: . 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8
AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
;{id = 51201 (zsk), size = 1024b}
Trusted key: gov. 86400 IN DNSKEY 256 3 7
AQO7WIex4rhh3ixp+U2kj8rNv61syyX8mbhBnldxZRPEMVFifoh1r0tNYOn8STzm1lEHjW3fU35G8NQHcdeFZe4nubogpA31ttUfI8ftaXYQSpI4JgyNW0bjBxt3IullpJv2tVvTb3/ZFRq8ddrJTVxCPPJz3ycA7Wa2GF948Dy85EH0q4pwzVLzKytKaOsAVLWHHA6KuPYreNLTqUv7zmdTIZ8uOICvhpsmgh8iPapHkS3yBr70TbIZnnMkr739J9PqaksrQh567tBwi0RDpIbs1XPDsqTeQoOBWwaQx7OAxRPKFEjHHbi2fucZjWqVNDZNGx9qA33QEs8cxI415sUp
;{id = 35464 (zsk), size = 2048b}
Key is now trusted!
Trusted key: gov. 86400 IN DNSKEY 256 3 7
BQEAAAABvSN63WSZXqKpkUlpHZjtvhZqgTTXwS+ayt8E/0AuuXvEuFOkUzUqyUahwSdhbds2aLWJK4Gg7Z0huM/hAnqgvMxpRgY9wyJ0oh5UuO3XpAChAEups6ufY7M/+16lHpkbjQgw45o3t/AOFrxhjAUOA4PR21P7JmkofhMFmnhLnrou9fK+704kr/5uq19xZ1nClCZd+Awtt7mgArePJ0k6HDbScXY9hjr6uwKwbx8Dji+nCajkxBHatAFLz8G0z0lCN3VSnMSrw7U+nNpLzUBcGB8oYAyHV2MoxQFPm8z+b8fZemT5kXftn/XdEbS4qrG48czluD56ESUSQ+z9p4AGLw==
;{id = 23239 (zsk), size = 2048b}
Trusted key: gov. 86400 IN DNSKEY 257 3 7
AQO7tpGcHVEdeAwk47cj6Tuc3dvAUktIQ1vMu8mGtGYQ8F6vSOgViE0tmzPtVFrV9E6kY1jLYCh+oKPWn7efpQVMkqc+2b9ECYk/81fA4Vb0BfyYKKhiW7T1uNX4rC03JZa2u8iOHwqq4BRVplksFXCGn47i2Sosa5KuqCNBqUA0oyPTEbxkyNo3Q6l8ZcscILqbvWZ0BJKaLCTtj08Nj35LTqd/XVoEObp48A21Pqyi6Kiblh9H6NoLtqhlvP5+8AujtINJ+sTUQZYgqt9iFQp2AH4HvyJdw8Vkr1QRhhshq6RgRidnOvTIWZKoe4QHQrvmOfW245zv+22Iuu5rYpcl
;{id = 53138 (ksk), size = 2048b}
[T] ca.gov. 86400 IN DS 59151 7 1 b944a2ddc6320e245b9b897e8238b1b850b22344
ca.gov. 86400 IN DS 59151 7 2
c229cd687bedbbf4908b9bceee0239007abd77f9b66ae2d1e16b59e47ee19282
;; Domain: ca.gov.
[T] ca.gov. 172800 IN DNSKEY 257 3 7 ;{id = 59151 (ksk), size = 2048b}
ca.gov. 172800 IN DNSKEY 256 3 8 ;{id = 60459 (zsk), size = 1024b}
[T] ca.gov. 86400 IN A 134.186.200.20
;;[S] self sig OK; [B] bogus; [T] trusted
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
