On Wed, Sep 17, 2014 at 10:05 AM, Ondřej Caletka <[email protected]> wrote:
> I'm having an issue with validating particular domain names: > > $ dig _25._tcp.mail.relia-pc.cz tlsa > $ dig _443._tcp.kinderporno.cz tlsa > - validates with BIND, fails with Unbound 1.4.21 > - unbound-host says that cname proof failed > > I'm suspecting that there is something wrong on the authoritative side > since both domains are hosted on the same set of servers. But I'm not > able to figure out, what exactly is wrong and how the answers should > look like to be validated successfully by Unbound. > > I don't immediately see anything wrong with the complete names above. But I can see that BIND and unbound both are failing validation for _ tcp.kinderporno.cz. I am wondering if this is perhaps due to incorrect handling of NSEC records associated with wildcards. $ dig +dnssec +noall +authority @ns.forpsi.it _tcp.kinderporno.cz | grep NSEC | head -1 default._domainkey.kinderporno.cz. 3600 IN NSEC _jabber._ tcp.kinderporno.cz. TXT RRSIG NSEC The NSEC record returned doesn't prove that the name doesn't exist (NXDOMAIN) because the name (_tcp.kinderporno.cz) is in fact an ancestor of the next field of the NSEC record (_jabber._tcp.kinderporno.cz), as an empty non-terminal. But that proof is not required for wildcard, only for NXDOMAIN status. But that doesn't explain why unbound would be failing validation on _443._ tcp.kinderporno.cz, unless it is performing validation of _ tcp.kinderporno.cz along the way. Just a guess. Casey
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
