[Dnssec-trigger] bugs.debian.org validation failure

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Sep 19 07:06:52 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Chuck,

On 09/18/2014 09:35 PM, Chuck Anderson wrote:
> On Thu, Sep 18, 2014 at 01:32:20PM -0400, Paul Wouters wrote:
>> On Thu, 18 Sep 2014, Chuck Anderson wrote:
>> 
>>> Why is unbound showing a validation failure when dnsviz.net
>>> shows everything is good?
>> 
>> dnsviz.net is not using the resolvers/forwarders you are using?
>> 
>>> Sep 18 12:07:34 system unbound: [2399:1] info: validation
>>> failure bugs.debian.org. AAAA IN
>> 
>>> # unbound-control list_forwards . IN forward: 130.215.32.18
>>> 130.215.39.18 130.215.5.18
>> 
>> Try not using those forwards? eg:
> 
> I'm fairly certain the forwarders aren't the problem since I run
> those as well.  They are standard BIND 9 installs running full
> recursion with no firewall on the DNS traffic, but they don't have
> DNSSEC validation turned on yet.
> 
>> unbound-control reload unbound-control forward_add . 8.8.8.8
>> 
>> Then try again? If that works, go back to the original forwarders
>> and see if the problem returns. If so, possibly crank up the
>> verbosity: in unbound.conf so you get more information about why
>> it failed validation.
> 
> Too late to check--it is working now with the same forwards.  So
> this was a transient issue.
> 
> # host bugs.debian.org bugs.debian.org has address 140.211.166.26 
> bugs.debian.org has address 206.12.19.140 bugs.debian.org has IPv6
> address 2607:f8f0:610:4000:6564:a62:ce0c:138c bugs.debian.org mail
> is handled by 10 buxtehude.debian.org.
> 
> I have very few issues with unbound/DNSSEC, so I'm not sure what to
> do for troubleshooting when a problem does happen.  What verbosity
> level do you suggest?  I'll have to leave it cranked up so I'll
> have the data if/when this happens again.

val-log-level: 2

this prints a descriptive string into the log file, about why the
validation failure happened, ie. "validation failure name type class:
no RRSIG records from server 192.0.2.1".

Best regards,
   Wouter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG9YMAAoJEJ9vHC1+BF+NU+wP+gMDERwt0V7ZzltKm1Dhul1y
eoYR1ieOP5zfZBwmyLYv8BxauyD46CJJWo0/1Qa4lygA7oxfkFHAwImN7v6HMsiY
RnnzEz/byDWCmbS1c5vEBrRBOJwnwc792tFCENwniC34UmdwDGcVdup05iw9HDi8
rf3hq5MZ7OMgeZSmKTj15GJuRbW4SrRNhI5Xmiobs8kGyRzhdOQJcunlGVC8jPXp
ObtyyMNCFqSUe1vRS6D0PVkYXSGnqczSZ+sqVMz7wC8L7IHsizFPqpFHamNVYN1f
BdHjiFs7TeCmWLB3J5zNULRpS1a3aUIM29jQs3CeJ/7m0gvagnlZ8gfBNmL8N1DW
VuNEKLQQ4fDYVlpSR5zUTkcGAcovCpQ8sN8KMqO2BLRP9py9DDL93I6h1D1WvXRU
hyq21N0Cs1XJrk8RLq/MgI/AljnRSwCkbg+PhkERlS04MwHKy+Ir4iY+6lu+CAWN
2hFQu60ffxV/qzGygS8vCRTYFSLcMfJXnCRG6Q4jNhwuVk2xSALxbZB1bwUST/vY
HzINE3cj+Uwvok7VF+V4jlVXHZygFZVBn9e3/jLvHGctiFlxTre9t+R+gqt1OUdg
VO0vFuXHl4VCBlVdG3JNa7b/DCDLiTntIsOekQRWxDq6g3HS1NyDGmJ7fChQsHmH
EkRTiWgb3fOHPDwnTHOx
=kNLd
-----END PGP SIGNATURE-----

More information about the dnssec-trigger mailing list