pemensik
commented
1 year ago What I see is this:
; <<>> DiG 9.18.11 <<>> 2.fedora.pool.ntp.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48727
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;2.fedora.pool.ntp.org. IN A
;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Fri Apr 07 01:24:40 EDT 2023
;; MSG SIZE rcvd: 56
$ date -I
2023-04-07
$ dig +dnssec +cd +nocrypto org
; <<>> DiG 9.18.11 <<>> +dnssec +cd +nocrypto org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34924
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;org. IN A
;; AUTHORITY SECTION:
org. 3553 IN SOA a0.org.afilias-nst.info. hostmaster.donuts.email. 1681602027 7200 900 1209600 3600
org. 3553 IN RRSIG SOA 8 1 3600 20230506234527 20230415224527 10821 org. [omitted]
gdtpongmpok61u9lvnipqor8lra9l4t0.org. 3553 IN NSEC3 1 1 0 332539EE7F95C32A GDTREA8KMJ2RNEQEN4M2OGJ26KFSUKJ7 NS SOA RRSIG DNSKEY NSEC3PARAM
gdtpongmpok61u9lvnipqor8lra9l4t0.org. 3553 IN RRSIG NSEC3 8 2 3600 20230506234527 20230415224527 10821 org. [omitted]
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Apr 07 01:28:50 EDT 2023
;; MSG SIZE rcvd: 528
gthess
Describe the bug When I have wrong date on the system and ask for name on validating resolver, it does not provide detailed EDE code describing the problem accurately. It says DNSSEC Bogus, where there are explicitly defined codes for wrong timestamps in validation process. One for not yet valid, one for expired. I would expect to see them.
To reproduce Steps to reproduce the behavior:
dig @localhost 2.fedora.pool.ntp.orggives; EDE: 6 (DNSSEC Bogus), but I would expect EDE code 8 | Signature Not Yet Valid.dig @localhost +cd 2.fedora.pool.ntp.orgreturns correct answer, so this is just validation problemExpected behavior I think EDE would tell me whether there were problem with keys and signatures or just wrong date used during validation. If the problem is only in date, please report it so. Might be used by time synchronization service to do extra workarounds.
System:
unbound -Voutput:Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --runstatedir=/run --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.8 7 Feb 2023 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues