Unbound reports DNSSEC validation failure for nonexistent subdomains of .bit domains

[JeremyRand]

Whenever I use q to query Unbound for a nonexistent subdomain of a .bit domain (e.g. the www.bluishcoder.bit subdomain, which doesn't exist while bluishcoder.bit does exist), I get SERVFAIL instead of NXDOMAIN. ncdns itself does correctly return NXDOMAIN.

The following shows up in Unbound's systemd logs when verbosity is set to 2 (the log is for looking up TLSA records in _443._tcp.bluishcoder.bit):

Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bit. DNSKEY IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _443._tcp.bluishcoder.bit. TLSA IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was nodata ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: NSEC3s for the referral proved no delegation
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was nodata ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: use stub bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: resolving bluishcoder.bit. NS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was DNSSEC LAME
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: response for _tcp.bluishcoder.bit. DS IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: reply from <bit.> 127.0.0.1#5391
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: query response was NXDOMAIN ANSWER
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: Could not establish a chain of trust to keys for _tcp.bluishcoder.bit. DNSKEY IN
Feb 09 01:58:38 namecoin-qa-fedora unbound[27625]: [27625:2] info: validation failure _443._tcp.bluishcoder.bit. TLSA IN

This happens for the following environments:

• ncdns v0.0.6 in Fedora, DNSSEC configured manually
• ncdns v0.0.8 in Fedora, DNSSEC configured manually
• ncdns-nsis v0.0.8 in Windows, DNSSEC configured by NSIS

I wouldn't be surprised if this is a madns bug rather than an ncdns bug, but as I can't prove that I'm posting the issue in the ncdns repo.

[JeremyRand]

@hlandau Any idea what's wrong here?