-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Wenci,
I receive answers for them. Your dig contacted unbound itself. You should set dig +cdflag so you can see the dnssec invalid answers that unbound has, or set dig to probe the other servers. sirius-soft.at seems to have retracted its DS record and is now insecure - I guess something was wrong for them. rellim.com has faulty algorithm rollover - they publish DS records algorithms 5 and 7, and have DNSKEYs 7 and 8. There are no keys of type 5... This breaks resolution for unbound. Other software has a more lenient view on algorithm rollover and keys. And it goes back to a debate about whether one key is enough or if you want to check all available algorithms; it advertises algorithm 5 and thus it must provide a chain of trust for algorithm 5. Best regards, Wouter On 11/29/2013 06:24 PM, Wendi Chen wrote: > HI All, > > We consistently receive the following unbound logs: > > 131127 17:48:33 unbound: [5694:0] info: validation failure > d.t10000.u6860931751.s1385574322.i1009.v6022.503b8.z.dotnxdomain.net. > A IN 131127 17:51:28 unbound: [5694:0] info: validation failure > ns2.sirius-soft.at. A IN 131127 17:51:28 unbound: [5694:0] info: > validation failure ns1.sirius-soft.at. A IN 131127 17:51:28 > unbound: [5694:0] info: validation failure ns3.sirius-soft.at. A > IN 131127 17:51:45 unbound: [5694:1] info: validation failure > ns2.sirius-soft.at. A IN 131127 17:52:02 unbound: [5694:1] info: > validation failure ns3.sirius-soft.at. A IN 131127 17:52:35 > unbound: [689:0] info: validation failure rellim.com. A IN 131127 > 17:52:36 unbound: [21479:0] info: validation failure rellim.com. A > IN 131127 17:52:46 unbound: [5694:0] info: validation failure > rellim.com. A IN 131127 17:52:46 unbound: [5694:0] info: validation > failure rellim.com. NS IN 131127 17:52:46 unbound: [5694:0] info: > validation failure ns1.rellim.com. A IN 131127 17:52:46 unbound: > [689:1] info: validation failure rellim.com. A IN 131127 17:52:48 > unbound: [21479:1] info: validation failure rellim.com. A IN 131127 > 17:52:48 unbound: [21479:1] info: validation failure rellim.com. NS > IN 131127 17:52:48 unbound: [21479:1] info: validation failure > ns2.rellim.com. AAAA IN 131127 17:52:48 unbound: [21479:1] info: > validation failure ns1.rellim.com. A IN > > Is it a bug in unbound or a problem with the DNS configuration of > those sites? > > I ran dig commands on those sites and found all of them returned no > answers. > > For example, wendi: dig rellim.com > > > ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-5.P2.fc19 <<>> > rellim.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- > opcode: QUERY, status: SERVFAIL, id: 52216 ;; flags: qr rd ra; > QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; > QUESTION SECTION: ;rellim.com. IN A > > ;; Query time: 840 msec ;; SERVER: 192.168.58.1#53(192.168.58.1) ;; > WHEN: Fri Nov 29 12:20:38 EST 2013 ;; MSG SIZE rcvd: 39 > > Thank you if you can give me some advices. > > Best, Wendi > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSnEYoAAoJEJ9vHC1+BF+Ne2MQAKVrfbB44CwktLm+tXmWbgqA Jtius/U/um39b5D+UPCtQANGOaepfRvEdRVMU+0jI4qNq+g3/zeRDoR3WOEQr6vt DjFCR13g0GokaiCI9EVyGwUq5fHetgc92n2Ke+IYd5AcsRbWzMJlrkZSWtL+KBCv s+7M49jmxkQQsTa+9vOrLlfFu1IUNYpf2qlL+I89Qn1TjTJOz9ZfsN66J3ieyqv1 HJRKa/aXe4VTZOIUHkQjiPfBb/3iyJo8BxN8GeLOFcLKyrVVzZfS5uzNt47TWgqQ QWAq4YHhLdb2rVAKRqFQDCHlnC8JVgWNYfYAGuFazWtL2BOWItk3IjXlLmhEONr2 lVtyTfiDaT3x0MIgp1NDCWW/FO8py6XtgS46qM/cWPQ1MyXD+EM/bHNtxRzVF6O0 7uJg16fDuxyF4t0wgcGAtxvBpwqw3N/UJENWztw1yv3iCFCb/wSgU012jJV75D9J kpGv+Dm8HVQfWsugqYwZ2yeMH9ICc59ILWxuTVQfBUOMd1VySIczZCgb90GFHQKH CDGfAYRF9JFZT2QUzT4M1ubC9iPFCG3x/Q8a1bNyxQCwm3E/f9CTY67bA7/KosgA hx1L0Vi5wBa1p5OyycXVeb2iYw8smcY05NOpEpVlOGSYSFUCXOYOAYgkQ/zz4/y4 kbdp6h4Wq0Z7p2wZxSWS =uMZt -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
