DNSSEC Inconsistency with Forwarding

[blastagator]

I've located a specific domain which produces a strange DNSSEC result with Unbound. The domain is insecure and properly resolves as such when querying 1.1.1.1 directly or allowing Unbound to act as the resolver. However, if Unbound forwards to 1.1.1.1 the resolution fails out. It seems there is some bug in Unbound causing the inconsistency.

Domain: nrsflorida.com

FORWARDER
When using Unbound as a forwarder to 1.1.1.1, with DNSSEC enabled, dig yields a SERVFAIL. BUT directly querying 1.1.1.1 (which is DNSSEC enabled) the domain resolves fine (though without the 'ad' flag).

Console Log:
dig nrsflorida.com +dnssec @192.168.10.2
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> nrsflorida.com +dnssec @192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nrsflorida.com. IN A
;; Query time: 2451 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Wed Jan 15 22:39:33 UTC 2020
;; MSG SIZE rcvd: 43

Unbound Log:
[1579128148] unbound[7354:0] info: 192.168.10.2 nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: response for nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128148] unbound[7354:0] info: query response was CNAME
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: response for nrsflorida.com. A IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: prime trust anchor
[1579128148] unbound[7354:0] info: generate keytag query _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: resolving . DNSKEY IN
[1579128148] unbound[7354:0] info: resolving _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: response for _ta-4f66. NULL IN
[1579128148] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128148] unbound[7354:0] info: query response was NXDOMAIN ANSWER
[1579128148] unbound[7354:0] info: response for . DNSKEY IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validate keys with anchor(DS): sec_status_secure
[1579128148] unbound[7354:0] info: Successfully primed trust anchor . DNSKEY IN
[1579128148] unbound[7354:0] info: resolving com. DS IN
[1579128148] unbound[7354:0] info: response for com. DS IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validated DS com. DS IN
[1579128148] unbound[7354:0] info: resolving com. DNSKEY IN
[1579128148] unbound[7354:0] info: response for com. DNSKEY IN
[1579128148] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128148] unbound[7354:0] info: query response was ANSWER
[1579128148] unbound[7354:0] info: validated DNSKEY com. DNSKEY IN
[1579128148] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was nodata ANSWER
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128149] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128149] unbound[7354:0] info: query response was CNAME
[1579128149] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was CNAME
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.1.1.1#853
[1579128150] unbound[7354:0] info: query response was CNAME
[1579128150] unbound[7354:0] info: resolving nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: response for nrsflorida.com. DS IN
[1579128150] unbound[7354:0] info: reply from <.> 1.0.0.1#853
[1579128150] unbound[7354:0] info: query response was nodata ANSWER
[1579128150] unbound[7354:0] info: Could not establish a chain of trust to keys for nrsflorida.com. DNSKEY IN

RESOLVER (not forwarding):
Unbound resolves the domain, though again without the 'ad' flag.

dig nrsflorida.com +dnssec @192.168.10.2
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> nrsflorida.com +dnssec @192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nrsflorida.com. IN A
;; ANSWER SECTION:
nrsflorida.com. 3469 IN CNAME imedia-e.nrsforu.com.
imedia-e.nrsforu.com. 3469 IN A 155.188.80.113
;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Wed Jan 15 22:36:30 UTC 2020
;; MSG SIZE rcvd: 90

Unbound Log:
[1579128350] unbound[7503:0] info: 192.168.10.2 nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: resolving nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: priming . IN NS
[1579128350] unbound[7503:0] info: response for . NS IN
[1579128350] unbound[7503:0] info: reply from <.> 199.9.14.201#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128350] unbound[7503:0] info: priming successful for . NS IN
[1579128350] unbound[7503:0] info: resolving . DNSKEY IN
[1579128350] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128350] unbound[7503:0] info: reply from <.> 192.36.148.17#53
[1579128350] unbound[7503:0] info: query response was REFERRAL
[1579128350] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128350] unbound[7503:0] info: response for . DNSKEY IN
[1579128350] unbound[7503:0] info: reply from <.> 192.58.128.30#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128350] unbound[7503:0] info: response for com. DNSKEY IN
[1579128350] unbound[7503:0] info: reply from <com.> 192.48.79.30#53
[1579128350] unbound[7503:0] info: query response was ANSWER
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <com.> 192.42.93.30#53
[1579128351] unbound[7503:0] info: query response was REFERRAL
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <nrsflorida.com.> 155.188.176.1#53
[1579128351] unbound[7503:0] info: query response was CNAME
[1579128351] unbound[7503:0] info: resolving nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <com.> 192.55.83.30#53
[1579128351] unbound[7503:0] info: query response was REFERRAL
[1579128351] unbound[7503:0] info: response for nrsflorida.com. A IN
[1579128351] unbound[7503:0] info: reply from <nrsforu.com.> 155.188.67.1#53
[1579128351] unbound[7503:0] info: query response was ANSWER
[1579128351] unbound[7503:0] info: prime trust anchor
[1579128351] unbound[7503:0] info: generate keytag query _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: resolving . DNSKEY IN
[1579128351] unbound[7503:0] info: validate keys with anchor(DS): sec_status_secure
[1579128351] unbound[7503:0] info: Successfully primed trust anchor . DNSKEY IN
[1579128351] unbound[7503:0] info: resolving _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: validated DS com. DS IN
[1579128351] unbound[7503:0] info: resolving . DNSKEY IN
[1579128351] unbound[7503:0] info: resolving com. DNSKEY IN
[1579128351] unbound[7503:0] info: validated DNSKEY com. DNSKEY IN
[1579128351] unbound[7503:0] info: NSEC3s for the referral proved no DS.
[1579128351] unbound[7503:0] info: Verified that unsigned response is INSECURE
[1579128351] unbound[7503:0] info: NSEC3s for the referral proved no DS.
[1579128351] unbound[7503:0] info: Verified that unsigned response is INSECURE
[1579128351] unbound[7503:0] info: response for _ta-4f66. NULL IN
[1579128351] unbound[7503:0] info: reply from <.> 202.12.27.33#53
[1579128351] unbound[7503:0] info: query response was NXDOMAIN ANSWER

[ralphdolmans]

This does not seem to be a bug in Unbound.
1.1.1.1 does not return records to prove that the domain is insecure:

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63371
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;nrsflorida.com.			IN	DS

;; ANSWER SECTION:
nrsflorida.com.		298	IN	CNAME	imedia-n.nrsforu.com.

;; AUTHORITY SECTION:
nrsforu.com.		300	IN	SOA	nns1a.nationwide.com. dns-admin.nationwide.com. 192 10800 3600 2592000 300

;; Query time: 122 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 16 00:27:38 CET 2020
;; MSG SIZE  rcvd: 145

And therefore Unbound has to treat this as DNSSEC bogus.

My best bet is that the (not allowed) CNAME on the nrsflorida.com apex confuses 1.1.1.1 and overrides the DS from the parent.

[blastagator]

So basically a combo of an improperly configured upstream DNS and improperly configured domain? I did some testing using two other upstream addresses to forward to. Using Google (8.8.4.4) yields a proper insecure resolve, but using OpenDNS (208.67.222.222) gives a SERVFAIL.

What would you suggest, both opening a ticket with the Cloudflare folks and yelling at the website?

[ralphdolmans]

What would you suggest, both opening a ticket with the Cloudflare folks and yelling at the website?

Yes, I think that would be the best approach. In the end the nrsflorida.com nameserver is just wrong, but it would be nice to inform the Cloudflare people about this peculiarity.

[spirillen]

I can't reproduce this either with 1.9.5

cat /etc/unbound/conf.d/forward.conf
forward-zone:
        name: "nrsflorida.com"
        forward-addr: 1.1.1.1@853
        forward-tls-upstream: yes

Alternatives:

forward-zone:
        name: "nrsflorida.com"
        forward-addr: 95.216.209.53@53
        forward-addr: 127.0.0.1@53

Dig:

dig nrsflorida.com +dnssec @127.0.0.53

; <<>> DiG 9.14.9-Ubuntu <<>> +nocookie nrsflorida.com +dnssec @127.0.0.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 361
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nrsflorida.com.                        IN      A

;; ANSWER SECTION:
nrsflorida.com.         300     IN      CNAME   imedia-e.nrsforu.com.
imedia-e.nrsforu.com.   300     IN      A       155.188.80.113

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 16 01:44:58 CET 2020
;; MSG SIZE  rcvd: 90

So as @ralphdolmans says, check the middleman

[blastagator]

Interesting. I can reproduce on two boxes. The first is my router running pfsense (which I think is v1.9.1 of Unbound) and the second is a VM on 1.9.0 on Ubuntu 19.10 (the latest version in their repo). Sorry, should have said that in the OP.

I'll look into putting the latest version on my Ubuntu box and seeing what happens. Thanks for the additional input.

[spirillen]

Here is the compile code i use on ubuntu 19.10 :)

https://gitlab.com/rpz-zones/toolbox/issues/18#configure-options

[ralphdolmans]

No need to test different Unbound versions. As said before you (sometimes) don't get the correct answer for the DS query from the server you are forwarding to.

It seems to be the case when Cloudflare has the CNAME for the apex in the cache, but that is not Unbound related.

I am closing this issue since the extra comments are mainly leading to confusion. Feel free to reopen after reaching out to the other parties.

[spirillen]

I'm sorry but it wasn't my intention.

[blastagator]

I installed the latest version of Unbound and it turns out that 1.9.6 actually resolves fine. Must be some funky mashup of version 1.9.0 + CloudFlare + Improperly configured domain.

Which, I guess is to say, if it should be returning a bogus result based on what 1.1.1.1 is sending for this domain, there is now a bug in the new version of Unbound.

[ralphdolmans]

It is not Unbound version dependent. The server you are forwarding to does not always give the same reply for the DS query.

[blastagator]

You're right. I literally just caught it misbehaving on two digs in a row (first gives correct result, 2nd gives incomplete result). I put in a ticket with Cloudflare. Thanks all for the help!!!

greg@vm-media-server:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;nrsflorida.com. IN DS

;; AUTHORITY SECTION:
ck0pojmg874ljref7efn8430qvit8bsm.com. 86317 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86317 IN RRSIG NSEC3 8 2 86400 20200122054915 20200115043915 12163 com. FNlrPrqpKfVHKASgkcTgT29br3HmpcXgRzMcdX4Ctkbi1zE22CbnfCTh SjAoyiUDjN5IJ+oGTKuTEjfMIFAEgjUW8b2xVYlmGCiEtrapua407X2t Dw3Dtkn4d5EGYjFORD32d9+gBVGkOEiimWZvL4uCH2gUy/uBPW1PLJAS NQNt45Eu6uTLVDvptAmn5uc2MbRvpkEHr6dsmB587FJQsw==
com. 817 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1579193389 1800 900 604800 86400
com. 817 IN RRSIG SOA 8 1 900 20200123164949 20200116153949 56311 com. F1vZjUvIyYv5mEllY/1vb30HJ4RH5KdodegY0UexUch+XpAn+PsXDMvr M/kVgG95xyAayOy0OWWzcefZRL054x4ekUP2RCJ23w8tyefqjf3CMR3f p5c6lh+RVBN8MQATllXSGwzwRBuSOk3AxcExh7+nAdotKz56iN09JH3U aYj3OYb2VlwCoFeL/JhQ2/Ud1utAcCwdzrzVOBp7DgCXVg==
jkfof4fpn5ckpe8ljlkhk5442trbcj5b.com. 86317 IN NSEC3 1 1 0 - JKFQ08B9TDOVJQ5FDIPSG7DGJPUMDNR7 NS DS RRSIG
jkfof4fpn5ckpe8ljlkhk5442trbcj5b.com. 86317 IN RRSIG NSEC3 8 2 86400 20200121053649 20200114042649 12163 com. WnacUry+f1jRkCbxumdCqh9Z31OLzXOxnd3P7slfiwu7Mrm+xCZGE34N KNsRTujhWPzh9ZyeMAreUNYvZ0kJbM5UVL/0BoU4XBD5eCSWBtcf7kPM R+NrCwY2L86LAEJpWaf930dItTSmbo9eJmtw57rNwsWqNERF4fmP267T t+axpwsYLdfpO/3pVgoIDVxQfxWfM2pmJj6EIL7RC6W9Og==

;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 16 16:51:26 UTC 2020
;; MSG SIZE rcvd: 863

greg@vm-media-server:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29609
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;nrsflorida.com. IN DS

;; ANSWER SECTION:
nrsflorida.com. 295 IN CNAME imedia-e.nrsforu.com.

;; AUTHORITY SECTION:
nrsforu.com. 300 IN SOA nns1a.nationwide.com. dns-admin.nationwide.com. 192 10800 3600 2592000 300

;; Query time: 57 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 16 16:51:45 UTC 2020
;; MSG SIZE rcvd: 145