Hello again. I made some additional research...
> % kdig @::1 jvcelak.fedorapeople.org > ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 54325 > % sudo unbound-control list_forwards > . IN forward x.x.x.x With val-log-level 2, I found the follwing: info: validation failure <jvcelak.fedorapeople.org. A IN>: no signatures for <fedorapeople.org. NS IN> from x.x.x.x I fired up a second Unbound, configured it to perform the resolution from root, set it up in place of the x.x.x.x, flushed the cache, and the validation started to work. After inspecting responses from BIND and Unbound, I belive this is caused by BIND adding a NS RRs without a RRSIG added into the authority section of the answer. Unbound: % kdig +dnssec @127.0.0.2 jvcelak.fedorapeople.org A ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 802 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 2; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused ;; QUESTION SECTION: ;; jvcelak.fedorapeople.org. IN A ;; ANSWER SECTION: jvcelak.fedorapeople.org. 3585 IN A 152.19.134.191 jvcelak.fedorapeople.org. 3585 IN RRSIG A 5 2 3600 ... ;; AUTHORITY SECTION: *.fedorapeople.org. 86385 IN NSEC fedorapeople.org. ... *.fedorapeople.org. 86385 IN RRSIG NSEC 5 2 86400 ... ;; Received 461 B ;; Time 2015-02-04 01:12:51 CET ;; From 127.0.0.2@53(UDP) in 0.1 ms BIND: % kdig +dnssec @x.x.x.x jvcelak.fedorapeople.org A ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59967 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 6; ADDITIONAL: 7 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused ;; QUESTION SECTION: ;; jvcelak.fedorapeople.org. IN A ;; ANSWER SECTION: jvcelak.fedorapeople.org. 3600 IN A 152.19.134.191 jvcelak.fedorapeople.org. 3600 IN RRSIG A 5 2 3600 ... ;; AUTHORITY SECTION: *.fedorapeople.org. 3600 IN NSEC fedorapeople.org. ... *.fedorapeople.org. 3600 IN RRSIG NSEC 5 2 86400 ... fedorapeople.org. 33297 IN NS ns02.fedoraproject.org. ... ;; ADDITIONAL SECTION: ns02.fedoraproject.org. 48697 IN A 152.19.134.139 ns02.fedoraproject.org. 48697 IN AAAA ... ... ;; Received 674 B ;; Time 2015-02-04 01:11:12 CET ;; From x.x.x.x@53(UDP) in 93.0 ms I don't know why BIND is adding the NS into the answer. But I think this is really a problem of BIND, as per http://tools.ietf.org/html/rfc4035#section-3.1.1: > o When placing a signed RRset in the Authority section, the name > server MUST also place its RRSIG RRs in the Authority section. > The RRSIG RRs have a higher priority for inclusion than any other > RRsets that may have to be included. If space does not permit > inclusion of these RRSIG RRs, the name server MUST set the TC bit. Please, can somebody confirm that my assumptions are right? Thanks and regards, Jan _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
