Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound reports DNSSEC validation failure for nonexistent subdomains of .bit domains #92

Open
JeremyRand opened this issue Feb 9, 2019 · 1 comment
Open

Unbound reports DNSSEC validation failure for nonexistent subdomains of .bit domains #92

JeremyRand opened this issue Feb 9, 2019 · 1 comment

Comments

@JeremyRand
Copy link
Member

JeremyRand commented Feb 9, 2019
edited
Loading

Whenever I use q to query Unbound for a nonexistent subdomain of a .bit domain (e.g. the www.bluishcoder.bit subdomain, which doesn't exist while bluishcoder.bit does exist), I get SERVFAIL instead of NXDOMAIN. ncdns itself does correctly return NXDOMAIN.

The following shows up in Unbound's systemd logs when verbosity is set to 2 (the log is for looking up TLSA records in _443._tcp.bluishcoder.bit):

Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bit. DNSKEY IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was nodata ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: NSEC3s for the referral proved no delegation
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was nodata ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: Could not establish a chain of trust to keys for _tcp.bluishcoder.bit. DNSKEY IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: validation failure _443._tcp.bluishcoder.bit. TLSA IN

This happens for the following environments:

  • ncdns v0.0.6 in Fedora, DNSSEC configured manually
  • ncdns v0.0.8 in Fedora, DNSSEC configured manually
  • ncdns-nsis v0.0.8 in Windows, DNSSEC configured by NSIS

I wouldn't be surprised if this is a madns bug rather than an ncdns bug, but as I can't prove that I'm posting the issue in the ncdns repo.
@JeremyRand
Copy link
Member Author

@hlandau Any idea what's wrong here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JeremyRand