Recursive resolver not setting ad bit -- unbound does. #26
Description
There's going to be a lot of logs in this post. In summary, running hsd with --rs-no-unbound fails to verify the subdomain sebastian.rasor whereas the unbound resolver does verify it:
Invalid RRSIGs.
Queries
--rs-no-unbound
--> dig @127.0.0.1 -p 5350 sebastian.rasor +dnssec
; <<>> DiG 9.16.10 <<>> @127.0.0.1 -p 5350 sebastian.rasor +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 1743cb239b9132f9 (echoed)
;; QUESTION SECTION:
;sebastian.rasor. IN A
;; ANSWER SECTION:
sebastian.rasor. 300 IN A 45.77.111.169
sebastian.rasor. 300 IN RRSIG A 8 2 300 20210311024641 20210209024641 3381 sebastian.rasor. Ipwqf6t2UuDuR2ygVidSiWCXvK6XB/D9AzWv0AFIzGEvd7iQaItOa1tm uXUK9DWtMwClZfBbxl10c3hMhdFZgHLWkXRCLiWgOcPlKyOekMFf+Dh8 zElNS6UEji5NV7vP2FCYbzAhweEsIJE28v9ofhHOZSVGsaRpQDeXnAif 5IEeFzA666QUE61xkShkTFOcrjwhdlq074lXpIOP2PyUBCK8ESwdn/kp 8ZFj5VCDgyHf9nTsfmSIpKYaL/s1jts6mRZhMCFlXGtRnE+ocj9LsGWa Ds6y8TKVDf3ZYPls17xgiBsTybL5PYkJgZzRrrc78F7avr7oa0mhxtZn qYAjvQ==
;; SIG0 PSEUDOSECTION:
. 0 ANY SIG 0 253 0 0 20210209101345 20210208221345 15350 . +zVVjI0QbVXeRCY/ojd0tx+Ekkof4o+OCWLDHfD4h1MWjVC3It5+ItJL ZN1NeGA/iW7RjcCUVlCOfjX1UKESzQ==
;; Query time: 69 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1)
;; WHEN: Mon Feb 08 23:13:45 EST 2021
;; MSG SIZE rcvd: 454
with unbound
--> dig @127.0.0.1 -p 5350 sebastian.rasor +dnssec
; <<>> DiG 9.16.10 <<>> @127.0.0.1 -p 5350 sebastian.rasor +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 182
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: d46ce3a95f53a17f (echoed)
;; QUESTION SECTION:
;sebastian.rasor. IN A
;; ANSWER SECTION:
sebastian.rasor. 300 IN A 45.77.111.169
sebastian.rasor. 300 IN RRSIG A 8 2 300 20210311024641 20210209024641 3381 sebastian.rasor. Ipwqf6t2UuDuR2ygVidSiWCXvK6XB/D9AzWv0AFIzGEvd7iQaItOa1tm uXUK9DWtMwClZfBbxl10c3hMhdFZgHLWkXRCLiWgOcPlKyOekMFf+Dh8 zElNS6UEji5NV7vP2FCYbzAhweEsIJE28v9ofhHOZSVGsaRpQDeXnAif 5IEeFzA666QUE61xkShkTFOcrjwhdlq074lXpIOP2PyUBCK8ESwdn/kp 8ZFj5VCDgyHf9nTsfmSIpKYaL/s1jts6mRZhMCFlXGtRnE+ocj9LsGWa Ds6y8TKVDf3ZYPls17xgiBsTybL5PYkJgZzRrrc78F7avr7oa0mhxtZn qYAjvQ==
;; SIG0 PSEUDOSECTION:
. 0 ANY SIG 0 253 0 0 20210209101400 20210208221400 15350 . DIfBb2KgnM0zFbZG2EtY3e/w73Cj7ktlqC4+iwZYDdBibg0FqJ7BR3V0 6v/On4WDWl7Z/4DdoYtkuKc6omKt9A==
;; Query time: 95 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1)
;; WHEN: Mon Feb 08 23:14:00 EST 2021
;; MSG SIZE rcvd: 454
Logs --rs-no-unbound
[D:2021-02-09T04:13:45Z] (rs) Querying sebastian.rasor. (A).
[D:2021-02-09T04:13:45Z] (rs) Switching authority: hints.local.
[D:2021-02-09T04:13:45Z] (rs) Switching zone: [.]
[D:2021-02-09T04:13:45Z] (rs) Querying server: 127.0.0.1 (32414) (tcp=false)
[S:2021-02-09T04:13:45Z] (ns) DNS Request:
[S:2021-02-09T04:13:45Z] (ns) ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32414
[S:2021-02-09T04:13:45Z] (ns) ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; OPT PSEUDOSECTION:
[S:2021-02-09T04:13:45Z] (ns) ; EDNS: version: 0, flags: do; udp: 4096
[S:2021-02-09T04:13:45Z] (ns) ;; QUESTION SECTION:
[S:2021-02-09T04:13:45Z] (ns) ;sebastian.rasor. IN A
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; MSG SIZE rcvd: 44
[S:2021-02-09T04:13:45Z] (ns) DNS Response:
[S:2021-02-09T04:13:45Z] (ns) ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32414
[S:2021-02-09T04:13:45Z] (ns) ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; OPT PSEUDOSECTION:
[S:2021-02-09T04:13:45Z] (ns) ; EDNS: version: 0, flags: do; udp: 4096
[S:2021-02-09T04:13:45Z] (ns) ;; QUESTION SECTION:
[S:2021-02-09T04:13:45Z] (ns) ;sebastian.rasor. IN A
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; AUTHORITY SECTION:
[S:2021-02-09T04:13:45Z] (ns) rasor. 21600 IN NS ns1.rasor.
[S:2021-02-09T04:13:45Z] (ns) rasor. 21600 IN DS 28654 8 2 8C5D881B7650C12FDB10BB9A6FAE3BF51DF47961F68D003EE17AA8E7 9F22BF83 ; alg = RSASHA256 ; hash = SHA256
[S:2021-02-09T04:13:45Z] (ns) rasor. 10800 IN RRSIG DS 13 1 21600 20220209041345 20210208041345 60944 . UmHpuZ/4RyvRziwNBHzDgXBSeHWWMDEIYRLp9emtiH1dsdwVd3iAmABk LCExWf6qm9Fsj9vimhhrNW20m79zTA== ; alg = ECDSAP256SHA256
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; ADDITIONAL SECTION:
[S:2021-02-09T04:13:45Z] (ns) ns1.rasor. 21600 IN A 45.77.111.169
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; MSG SIZE rcvd: 250
[D:2021-02-09T04:13:45Z] (rs) Verifying zone change to [.]
[D:2021-02-09T04:13:45Z] (rs) Checking signatures...
[D:2021-02-09T04:13:45Z] (rs) Querying server: 127.0.0.1 (55484) (tcp=false)
[S:2021-02-09T04:13:45Z] (ns) DNS Request:
[S:2021-02-09T04:13:45Z] (ns) ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55484
[S:2021-02-09T04:13:45Z] (ns) ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; OPT PSEUDOSECTION:
[S:2021-02-09T04:13:45Z] (ns) ; EDNS: version: 0, flags: do; udp: 4096
[S:2021-02-09T04:13:45Z] (ns) ;; QUESTION SECTION:
[S:2021-02-09T04:13:45Z] (ns) ;. IN DNSKEY
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; MSG SIZE rcvd: 28
[S:2021-02-09T04:13:45Z] (ns) DNS Response:
[S:2021-02-09T04:13:45Z] (ns) ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55484
[S:2021-02-09T04:13:45Z] (ns) ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; OPT PSEUDOSECTION:
[S:2021-02-09T04:13:45Z] (ns) ; EDNS: version: 0, flags: do; udp: 4096
[S:2021-02-09T04:13:45Z] (ns) ;; QUESTION SECTION:
[S:2021-02-09T04:13:45Z] (ns) ;. IN DNSKEY
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; ANSWER SECTION:
[S:2021-02-09T04:13:45Z] (ns) . 10800 IN DNSKEY 257 3 13 T9cURJ2M/Mz9q6UsZNY+Ospyvj+Uv+tgrrWkLtPQwgU/Xu5Yk0l02Sn5 ua2xAQfEYIzRO6v5iA+BejMeEwNP4Q== ; KSK ; alg = ECDSAP256SHA256 ; key id = 35215
[S:2021-02-09T04:13:45Z] (ns) . 10800 IN DNSKEY 256 3 13 I5nPs6clFa1gnwn9IpVDGdJLfEONzgD1NcfuEwEIVuIoHdZGgvVblsLN bRO+spW3nQYHg92svhy1HOjTiFBIsQ== ; ZSK ; alg = ECDSAP256SHA256 ; key id = 60944
[S:2021-02-09T04:13:45Z] (ns) . 10800 IN RRSIG DNSKEY 13 0 10800 20220209041345 20210208041345 35215 . z5XC4Q/6ryOkAcHyGHQ/O5B0sqBuTs73hgHGVh2JqHhomIx6YtrvkPsD czvZYft74nN6PWRC59bDQg9UOwxDJA== ; alg = ECDSAP256SHA256
[S:2021-02-09T04:13:45Z] (ns)
[S:2021-02-09T04:13:45Z] (ns) ;; MSG SIZE rcvd: 280
[D:2021-02-09T04:13:45Z] (rs) Validated DNSSEC signatures.
[D:2021-02-09T04:13:45Z] (rs) Switching authority: ns1.rasor.
[D:2021-02-09T04:13:45Z] (rs) Switching zone: [.->rasor.]
[D:2021-02-09T04:13:45Z] (rs) Querying server: 45.77.111.169 (26868) (tcp=false)
[D:2021-02-09T04:13:45Z] (rs) Verifying zone change to [rasor.]
[D:2021-02-09T04:13:45Z] (rs) Checking signatures...
[D:2021-02-09T04:13:45Z] (rs) Querying server: 45.77.111.169 (18276) (tcp=false)
[D:2021-02-09T04:13:45Z] (rs) Invalid RRSIGs.
[D:2021-02-09T04:13:45Z] (rs) Trust chain broken due to lack of child verification.
[D:2021-02-09T04:13:45Z] (rs) Traversed zones: ., rasor. for sebastian.rasor. (A).
[D:2021-02-09T04:13:45Z] (rs) Finishing resolving sebastian.rasor. (A) (hops=1).