[Unbound-users] DNSSEC mismatch between Bind 9.7 and Unbound

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Fri Nov 5 15:01:35 UTC 2010


Hello

today we got this one:

Nov  4 15:51:34 mailer unbound: [17795:1] info: validation failure  
<lipsofsuna.org. A IN>: DS got unsigned CNAME answer from 10.5.0.3 and  
10.5.0.3 for DS lipsofsuna.org. while building chain of trust

Unbound (127.0.0.1) point of view:

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29562
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59237
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

;; ANSWER SECTION:
lipsofsuna.org.		529	IN	CNAME	vhost.sourceforge.net.
vhost.sourceforge.net.	1214	IN	A	216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net.	61634	IN	NS	ns-1.sourceforge.com.
sourceforge.net.	61634	IN	NS	ns-1.ch3.sourceforge.com.
sourceforge.net.	61634	IN	NS	ns-2.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @127.0.0.1 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6632
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	DS

;; ANSWER SECTION:
lipsofsuna.org.		504	IN	CNAME	vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net.	120	IN	SOA	ns-1.ch3.sourceforge.com.  
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600




and Bind 9.7 (10.5.0.3) point of view

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec lipsofsuna.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	A

;; ANSWER SECTION:
lipsofsuna.org.		485	IN	CNAME	vhost.sourceforge.net.
vhost.sourceforge.net.	2285	IN	A	216.34.181.97

;; AUTHORITY SECTION:
sourceforge.net.	61590	IN	NS	ns-1.sourceforge.com.
sourceforge.net.	61590	IN	NS	ns-2.ch3.sourceforge.com.
sourceforge.net.	61590	IN	NS	ns-1.ch3.sourceforge.com.

; <<>> DiG 9.4.2-P2.1 <<>> @10.5.0.3 +dnssec +cdflag lipsofsuna.org DS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32497
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lipsofsuna.org.			IN	DS

;; ANSWER SECTION:
lipsofsuna.org.		468	IN	CNAME	vhost.sourceforge.net.

;; AUTHORITY SECTION:
sourceforge.net.	84	IN	SOA	ns-1.ch3.sourceforge.com.  
hostmaster.corp.sourceforge.com. 2010110300 14400 1800 604800 3600

Unbound is configured to use the Bind 9.7 at 10.5.0.3 as Forwarder.  
Where is the problem so unbound does not validate it?

Many Thanks

Andreas








More information about the Unbound-users mailing list