[Unbound-users] Forwarding failing when DNSSec is enabled
Paul Wouters
paul at xelerance.com
Wed Jul 1 16:46:01 UTC 2009
On Wed, 1 Jul 2009, Harish Chandra wrote:
> Without DNSSec, forwarding is working fine. With DNSSec enabled (I am
> using DLV), forwarding fails when I forward my querries to a server that
> isn't dnssec enabled.
> The output from the log looks like this:
> [1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org.. DNSKEY IN>
> [1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack
> of signatures
Are you running trunk? There is a bug upto 1.3.0 that caused DLV to
fail.
> The failure appears because of a signature mismatch. But why is
> validation taking place when the actual resolver can't talk dnssec? My
> config file looks like this:
It should fall back to non-secure. If your forwarder changes again to one
that does relay dnssec information, unbound drops the cache and uses the
validator again (If I understood Wouter correctly, I have not verified
this myself)
Paul
More information about the Unbound-users
mailing list