Bug 1067856

Summary: unbound won't answer DNS queries for forged domains
Product: [Fedora] Fedora Reporter: Pavel Šimerda (pavlix) <psimerda>
Component: unboundAssignee: Pavel Šimerda (pavlix) <psimerda>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: pwouters, thozza, vonsch
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-06 17:57:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Šimerda (pavlix) 2014-02-21 08:37:31 UTC 
When a local application queries Unbound for a domain that is secured by DNSSEC and the answer from the forwarder fails validation, I would expect Unbound to reply with an error. Instead it doesn't reply at all and the application times out.


$ time dig www.rhybar.cz

; <<>> DiG 9.9.3-P2 <<>> www.rhybar.cz
;; global options: +cmd
;; connection timed out; no servers could be reached

real    0m15.024s
user    0m0.000s
sys     0m0.000s


The www.rhybar.cz is a testing domain run by CZ.NIC that can be used for checking the client side behavior when the answers fail DNSSEC validation.

We need to check the RFCs for correct behavior. But a timeout doesn't seem to be a nice solution for local applications and for users.
Comment 1 Tomáš Hozza 2014-02-21 08:58:52 UTC 
From what I tested BIND-9.9.4 returns SERVFAIL for the same domain, since
its RRSIG is intentionally wrong.
Comment 2 Paul Wouters 2014-02-21 15:52:39 UTC 
I can't reproduce that:

paul@bofh:~$ sudo systemctl restart unbound.service 
paul@bofh:~$ time dig www.rhybar.cz @localhost

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-14.P2.fc19 <<>> www.rhybar.cz @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10229
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.			IN	A

;; Query time: 992 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 21 10:16:41 EST 2014
;; MSG SIZE  rcvd: 42


real	0m1.008s
user	0m0.014s
sys	0m0.002s
Comment 3 Pavel Šimerda (pavlix) 2014-03-19 10:26:49 UTC 
OK, moved upstream with more details about tested version:

https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=566
Comment 4 Pavel Šimerda (pavlix) 2014-06-06 17:15:23 UTC 
I would like to track this upstream change getting into Fedora 20.
Comment 5 Pavel Šimerda (pavlix) 2014-06-06 17:57:42 UTC 
I'm afraid this is not the bug report I wanted to work with.