On Wed, 4 Feb 2015, Jan Včelák wrote:
info: validation failure <jvcelak.fedorapeople.org. A IN>: no signatures for <fedorapeople.org. NS IN> from x.x.x.x
After inspecting responses from BIND and Unbound, I belive this is caused by BIND adding a NS RRs without a RRSIG added into the authority section of the answer.
BIND: % kdig +dnssec @x.x.x.x jvcelak.fedorapeople.org A ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59967 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 6; ADDITIONAL: 7 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused ;; QUESTION SECTION: ;; jvcelak.fedorapeople.org. IN A ;; ANSWER SECTION: jvcelak.fedorapeople.org. 3600 IN A 152.19.134.191 jvcelak.fedorapeople.org. 3600 IN RRSIG A 5 2 3600 ... ;; AUTHORITY SECTION: *.fedorapeople.org. 3600 IN NSEC fedorapeople.org. ... *.fedorapeople.org. 3600 IN RRSIG NSEC 5 2 86400 ... fedorapeople.org. 33297 IN NS ns02.fedoraproject.org. ... ;; ADDITIONAL SECTION: ns02.fedoraproject.org. 48697 IN A 152.19.134.139 ns02.fedoraproject.org. 48697 IN AAAA ... ...
I would expect unbound to just clean/ignore any additional data that comes without RRSIG. If not, that would be a bug. note that my old bind97 I have running on an old nameserver also returns data without the AD bit set. But I think 9.7 is known to have some issues with wildcards and CNAMEs. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
