[Unbound-users] unbound-host ignoring expired RRSIGs?
wouter at NLnetLabs.nl
Wed Jul 29 10:51:19 UTC 2009
Can you give me the unbound-host commandline you used?
Unbound host is supposed to print (bogus security failure) for
It only does so when -v is passed, otherwise it'll print bogus
data as output though. Is this a user interface issue?
Paul Wouters wrote:
> I just ran into an issue where I could not resolve dnsops.biz. After some
> investigation, it seems unbound was right. The RRSIG records expired 4
> days ago.
> dnsops.biz. 3600 IN RRSIG DNSKEY 5 2 3600 20090725124034
> 20090625124034 43287 dnsops.biz.
> 15KR8czTQk14GkS7z1NrZCfwoMU3bbZXrVHvzY1EHwNDdnXD0ii6FMex pVN28A==
> I took me a little while to figure this out, as "unbound-host" would
> happilly return the record, without any indication of a problem, while
> the unbound daemon itself would only do so with the CD bit set.
> It was even more confusing as our DNSX Resolver has the key for dnsops.biz
> loaded, and the answer unbound-host gave was "(insecure)". In fact,
> it should say it was "(expired)" or "(invalid)" or something. It is
> clearly not "just" insecure when the configuration has a DNSKEY loaded,
> which signature expired.
> Anyway, it at least explains the error I was seeing for
> Unbound-users mailing list
> Unbound-users at unbound.net
More information about the Unbound-users