[Unbound-users] unbound insecure!
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Wed Oct 1 06:44:32 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shahab Yassemi wrote:
> Hi ,
>
> would you please help me and tell why is this unsecure? I used 4
> -d for debug and here is the result : ( I added the key to trust
> anchor in unbound.conf and dig returns servfail ) thanks a lot.
The reason that unbound-host returns insecure is because you did not
give unbound-host a trust anchor.
dig returns servfail? That means the problem is not with unbound at
all, but with the authority server - it gives servfail for DNSKEY lookups.
> root at shahab-desktop:~# unbound-host -r -d -d -d -d com -v
Can you load the trust anchor into unbound-host:
unbound-host -r -d -d -d -d com -v -y "com. IN DNSKEY 257 3 5
AwEAAbf7W22wjbzQ25cp23q4Kp7QdEOUWiPm5kDVvE2kOUYCyFUI04oI
EA2zs1i0jHfaTDxkEOQa810eqgBJQAuCyv0="
And then try again? It should print out the packet it got back when
asking for the DNSKEY - just like the dig commandline.
Paul told you to nsdc rebuild and then nsdc reload. Did you do that?
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjjHFAACgkQkDLqNwOhpPirzACfabgxhiVvlg9yeOoibWAbbLRh
ARwAoJhiAQCoVSP5GG0UO0aUQmp6sLIt
=DnRb
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list