Re: verification error: empty key record; insecure key

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 16 Aug 2012 23:51:01 -0700 (PDT)

For the benefit of the rest of the list, I spent a good chunk of this
evening looking into this and here's what I found.

As far as I can tell, either libunbound has a bug that causes it to ignore
/etc/resolv.conf (even when it's read in), or it must be told explicitly
to use /etc/resolv.conf's contents and we're not doing that. The
documentation isn't clear on whether the latter is required and/or what
happens by default.

The slightly longer version is that I compiled 2.7.0 both with and without
libunbound. The resolution test described in this report worked fine
without it, and failed with it. I ran it through the debugger and found
that libunbound is telling us "no such record found", so the error we're
reporting is consistent with what we're getting back. Then I did an
strace and found that although /etc/resolv.conf is being loaded,
libunbound is not using the nameservers listed in there, but is instead
talking directly to the root nameservers, so of course "example.com" data
won't be returned in that case.

I've posted a question to the unbound-users list to see if there's any
insight into this issue over there. If it's not a bug in their code or
documentation, then there might be something we're doing wrong with how
we're calling libunbound that needs fixing.

I'll report back when there's been more progress.

-MSK
Received on Fri Aug 17 2012 - 06:51:17 PST