-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ehren,
On 06/28/2013 03:47 PM, Ehren Hawks wrote: > Yesterday a customer of ours reported they couldn’t get to > *mypay.dfas.mil*. Upon looking into it I see both of my Unbound > servers are returning SERVFAIL. Given the type of sight this is I > suspected this to be a possible DNSSEC issue. I verified there’s an > issue here: Unbound checks that the chain of trust uses the correct algorithm, as advertised by the DS record. The DS record advertises algorithm 7 (only). The DNSKEY record set has keys for 7 and 8. The MX record is signed with only 8. Unbound is strict here, the DS record states that this chain of trust must be present (MUST in the RFC). It is not, bogus. Bind is more lenient here, and a signature whose algorithm was not advertised is fine. Best regards, Wouter > http://dnsviz.net/d/dfas.mil/dnssec/ > > > > •dfas.mil/DNSKEY:This RRset is not covered by any RRSIG. > > •dfas.mil/MX:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil > zone, but the dfas.mil/MX RRset was not signed by any DNSKEY with > algorithm(s) 7. > > •dfas.mil/SOA:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil > zone, but the dfas.mil/SOA RRset was not signed by any DNSKEY with > algorithm(s) 7. > > •dfas.mil/TXT:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil > zone, but the dfas.mil/TXT RRset was not signed by any DNSKEY with > algorithm(s) 7. > > > > I tested resolution against both DNS-OARC’s BIND and Unbound > DNSSEC public servers: > > > > BIND 9 149.20.64.20 2001:4f8:3:2bc:1::64:20 > > Unbound 149.20.64.21 2001:4f8:3:2bc:1::64:21 > > > > Their Unbound server fails just as mine do, but their BIND server > returns the A record. I’m reluctant to disable DNSSEC validation > over this one domain, considering there appears to be an actual > problem. Considering BIND as well as Google’s public DNS are > validating this site OK I figured it was worth bringing up. > > > > Any feedback is appreciated! > > > > > > /ehren > > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRzZs7AAoJEJ9vHC1+BF+NNrcP/R67P2hhW8E04gQDOspyJy9c K1LaRIRJvttmg6/kFaHKj0/a/0flIyC4lg2UHz/1/z2rB2Y0SFsUSq56xwLMV6oI eAvtjJxSxCJSf5kwBrH/LdBGeq65zZsIPFQWELyvQF+gv9Dh6B3OeLWNN2hL/lIa h41M6RsXAbAdSO9FaIhQKCK5twzM4fVYpxVsykPXgixeNmTHIHO3BfNecD07kgpb JNnLRjPAUwYaccOOBJD4LdwOcQgJogGi4EzqiKWYGZ1Vo6MM2Zy3QSbGgaR44v31 BpbGtrNhcFpfqfheZa/OOIbLK0bGnYZGSI1ASzw7S49Y8IxqVLkbfVMtkeJIHJTa YPyjiE5LcVweNWP78Kdo7lxvcHg/HolNzhwnbLQDJ5EX4mixH2g7grtFI24NstQe eq0uhcNmY6GNu7q8EQ7vPM6AXvJtrBDm9DtMUxUAYrxDVkrDB8x2UimQjEWC14Z9 Ei0XlIzSrkMyX2zU537GEOamOw2MiVA2qHZDxfYQCNSutX3lUWHceZLChnb2LpnE KeiCGOyJeUsDXR3eyc17D7QCd/ESPXXI95cp75Yy/qOrhBxb7Mgp7pp1XefRU8Bd u1Oq7vp4J/s1v9F/8RvYOmSiEKvbK7aKHtyuPjYnBxyrKs6DAZvQzDE9QV4srwvj eplq5bj4GFXsmOJECSly =xJV4 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
