[Dnssec-trigger] Another problem: switching from forwarders to authority does not clean Unbound

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Oct 29 14:32:32 UTC 2011

I observed the following phenomenon at the RIPE meeting (SSID
ripemtg, dnsse-trigger 0.7).

1) Resolvers are OK. dnssec-trigger tells Unbound to use
them. Everything works.

2) Suddenly (unknown reasons), resolvers no longer transmit
RRsigs. Unbound SERVFAILs

3) Reprobing does not help. dnssec-trigger correctly switches to
authority name servers (and displays "no RRSIG in reply" for the
resolvers). But Unbound still SERVFAILs.

4) Restarting Unbound solves the problem.

So, apparently, something is not cleaned from the time were Unbound,
using forwarders, were not receiving expected RRSIGs. I assume
dnssec-trigger does not expect the resolvers to change behavior but
reprobing should "reset" Unbound more completely.

More information about the dnssec-trigger mailing list