[Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jul 27 17:52:31 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248239

--- Comment #15 from Viktor Dukhovni <ietf-dane at dukhovni.org> ---
Comment on attachment 216796
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=216796
Drill -DT

The drill output you provide shows everything working correctly:

>$ drill -DT www.europris.no ;; Number of trusted keys: 1 ;; Domain: .
>[T] . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
>    . 172800 IN DNSKEY 256 3 8 ;{id = 46594 (zsk), size = 2048b} Checking if signing key is trusted:
>New key: .      172800  IN      DNSKEY  256 3 8 <blob> ;{id = 46594 (zsk), size = 2048b}
>        Trusted key: .  172800  IN      DNSKEY  257 3 8 <blob> ;{id = 20326 (ksk), size = 2048b}
>        Trusted key: .  172800  IN      DNSKEY  257 3 8 <blob> ;{id = 20326 (ksk), size = 2048b}
>        Trusted key: .  172800  IN      DNSKEY  256 3 8 <blob> ;{id = 46594 (zsk), size = 2048b}
>Key is now trusted!
>[T] no. 86400 IN DS 29471 8 2 <blob>
>;; Domain: no.
>[T] no. 3600 IN DNSKEY 256 3 8 ;{id = 35961 (zsk), size = 1024b}
>    no. 3600 IN DNSKEY 257 3 8 ;{id = 29471 (ksk), size = 2048b} Checking if signing key is trusted:
>New key: no.    3600    IN      DNSKEY  256 3 8 <blob> ;{id = 35961 (zsk), size = 1024b}
>        Trusted key: .  172800  IN      DNSKEY  257 3 8 <blob> ;{id = 20326 (ksk), size = 2048b}
>        Trusted key: .  172800  IN      DNSKEY  257 3 8 <blob> ;{id = 20326 (ksk), size = 2048b}
>        Trusted key: .  172800  IN      DNSKEY  256 3 8 <blob> ;{id = 46594 (zsk), size = 2048b}
>        Trusted key: no.        3600    IN      DNSKEY  256 3 8 <blob> ;{id = 35961 (zsk), size = 1024b}
>Key is now trusted!
>        Trusted key: no.        3600    IN      DNSKEY  257 3 8 <blob> ;{id = 29471 (ksk), size = 2048b}
>[T] europris.no. 7200 IN DS 25323 15 2 <blob>
>europris.no. 7200 IN DS 25323 15 4 <blob>
>;; Domain: europris.no.
>;; Signature ok but no chain to a trusted key or ds record
>[S] europris.no. 3600 IN DNSKEY 256 3 15 ;{id = 39946 (zsk), size = 0b}
>    europris.no. 3600 IN DNSKEY 257 3 13 ;{id = 46820 (ksk), size = 256b}
>    europris.no. 3600 IN DNSKEY 257 3 15 ;{id = 25323 (ksk), size = 0b}
>    europris.no. 3600 IN DNSKEY 256 3 13 ;{id = 14997 (zsk), size = 256b}
>;; No DS for www.europris.no.
>;; No ds record for delegation

The DS algorithm is not supported, so it is treated as absent, and the DNSKEY
RRset is reported as self-signed[S].

>;; Domain: www.europris.no.
>;; No DNSKEY record found for www.europris.no.
>[U] No data found for: www.europris.no. type A
>;;[S] self sig OK; [B] bogus; [T] trusted

There are apparently no A records for www.europris.no, though there is a CNAME
record:

  www.europris.no. IN CNAME
m2-varnish-production-1583682531.eu-west-1.elb.amazonaws.com.
  www.europris.no. IN RRSIG CNAME 13 3 300 20200822020208 20200723020208 14997
europris.no. <blob>
  www.europris.no. IN RRSIG CNAME 15 3 300 20200822020208 20200723020208 39946
europris.no. <blob>

It appears that "drill -D -T <domain>" does not report the CNAME or A records,
while "drill -D"
or "drill -T" alone do.

I see no issue here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

More information about the freebsd-net mailing list