[Unbound-users] Not sure if and why DNSSEC not working

Beeblebrox zaphod at berentweb.com
Mon Jun 23 15:50:45 CEST 2014

Using unbound v_1.4.22 on different LAN IP (my resolv.conf points to
192.168.2.xx as DNS resolver, a VM on the LAN). syslog from unbound
startup shows key & hints files being read. But, neither "drill -TD
-k /var/unbound/root.key" nor web-based checks show active DNSSEC (for
ex http://dnssec.vs.uni-due.de/ gives "No, your DNS resolver does NOT
validate DNSSEC signatures"). unbound.conf has no forward-zones.

The VM syslog shows: chdir to /var/unbound
d unbound: [4730:0] debug: drop user privileges, run as unbound
d unbound: [4730:0] debug: module config: "validator iterator"
d unbound: [4730:0] debug: reading autotrust anchor
file /var/unbound/root.key d unbound: [4730:0] debug: validator
nsec3cfg keysz 1024 mxiter 150 d unbound: [4730:0] debug: validator
nsec3cfg keysz 2048 mxiter 500 d unbound: [4730:0] debug: validator
nsec3cfg keysz 4096 mxiter 2500 d unbound: [4730:0] debug: event
mini-event-1.4.22 uses not_obtainable method. d unbound: [4730:0]
debug: Reading root hints from /var/unbound/root.hints

Drill was run both on workstation and from the DNS resolver VM
drill for google.com gives:
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id = 56657 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[T] Existence denied: google.com. DS
;; No ds record for delegation
;; Domain: google.com.
;; No DNSKEY record found for google.com.

While drill for ip4afrika.nl gives correct result:
[T] ip4afrika.nl. 7200 IN DS 42364 8 2
af88bf947340253dcf01bcd2406ea0f6d756bd53124ee74446f04129f5db6be7 ;;
Domain: ip4afrika.nl. [T] ip4afrika.nl. 3600 IN DNSKEY 257 3 8 ;{id =
42364 (ksk), size = 2048b} ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id =
33895 (zsk), size = 1024b} ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id =
19819 (zsk), size = 1024b} [T] Existence denied: ip4afrika.nl. A
;;[S] self sig OK; [B] bogus; [T] trusted

What am I missing here?


More information about the Unbound-users mailing list