[Dnssec-trigger] bugs.debian.org validation failure

Chuck Anderson cra at WPI.EDU
Thu Sep 18 19:35:30 UTC 2014


On Thu, Sep 18, 2014 at 01:32:20PM -0400, Paul Wouters wrote:
> On Thu, 18 Sep 2014, Chuck Anderson wrote:
> 
> >Why is unbound showing a validation failure when dnsviz.net shows everything is good?
> 
> dnsviz.net is not using the resolvers/forwarders you are using?
> 
> >Sep 18 12:07:34 system unbound: [2399:1] info: validation failure bugs.debian.org. AAAA IN
> 
> ># unbound-control list_forwards
> >. IN forward: 130.215.32.18 130.215.39.18 130.215.5.18
> 
> Try not using those forwards? eg:

I'm fairly certain the forwarders aren't the problem since I run those
as well.  They are standard BIND 9 installs running full recursion
with no firewall on the DNS traffic, but they don't have DNSSEC
validation turned on yet.

> unbound-control reload
> unbound-control forward_add . 8.8.8.8
> 
> Then try again? If that works, go back to the original forwarders and
> see if the problem returns. If so, possibly crank up the verbosity: in
> unbound.conf so you get more information about why it failed validation.

Too late to check--it is working now with the same forwards.  So this
was a transient issue.

# host bugs.debian.org
bugs.debian.org has address 140.211.166.26
bugs.debian.org has address 206.12.19.140
bugs.debian.org has IPv6 address 2607:f8f0:610:4000:6564:a62:ce0c:138c
bugs.debian.org mail is handled by 10 buxtehude.debian.org.

I have very few issues with unbound/DNSSEC, so I'm not sure what to do
for troubleshooting when a problem does happen.  What verbosity level
do you suggest?  I'll have to leave it cranked up so I'll have the
data if/when this happens again.




More information about the dnssec-trigger mailing list