[Dnssec-trigger] bugs.debian.org validation failure
cra at WPI.EDU
Thu Sep 18 19:35:30 UTC 2014
On Thu, Sep 18, 2014 at 01:32:20PM -0400, Paul Wouters wrote:
> On Thu, 18 Sep 2014, Chuck Anderson wrote:
> >Why is unbound showing a validation failure when dnsviz.net shows everything is good?
> dnsviz.net is not using the resolvers/forwarders you are using?
> >Sep 18 12:07:34 system unbound: [2399:1] info: validation failure bugs.debian.org. AAAA IN
> ># unbound-control list_forwards
> >. IN forward: 188.8.131.52 184.108.40.206 220.127.116.11
> Try not using those forwards? eg:
I'm fairly certain the forwarders aren't the problem since I run those
as well. They are standard BIND 9 installs running full recursion
with no firewall on the DNS traffic, but they don't have DNSSEC
validation turned on yet.
> unbound-control reload
> unbound-control forward_add . 18.104.22.168
> Then try again? If that works, go back to the original forwarders and
> see if the problem returns. If so, possibly crank up the verbosity: in
> unbound.conf so you get more information about why it failed validation.
Too late to check--it is working now with the same forwards. So this
was a transient issue.
# host bugs.debian.org
bugs.debian.org has address 22.214.171.124
bugs.debian.org has address 126.96.36.199
bugs.debian.org has IPv6 address 2607:f8f0:610:4000:6564:a62:ce0c:138c
bugs.debian.org mail is handled by 10 buxtehude.debian.org.
I have very few issues with unbound/DNSSEC, so I'm not sure what to do
for troubleshooting when a problem does happen. What verbosity level
do you suggest? I'll have to leave it cranked up so I'll have the
data if/when this happens again.
More information about the dnssec-trigger