[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone
paul at xelerance.com
Fri Sep 4 14:42:04 UTC 2009
On Fri, 4 Sep 2009, W.C.A. Wijngaards wrote:
> But I am thinking how to make this easier on other people that
> aren't as smart as you are to figure this out. Or to make unbound
> smarter so it won't get into this trouble. I don't know.
It's hard. We have the same issue with openswan where people can send
us a 'barf', a full debug file. It's fairly easy for me to spot most
problems within a few minutes. But for an inexperienced person it is
next to impossible. We had an automatic 'barf analyser' a long time
ago but it was only capable of finding the simple mistakes. With DNS,
and cache and TTL, this becomes even harder to automate.
You keep mentioning drill, but I find drill hard to use because I need
to give it trust anchors, where unbound-host I can run without any
new configuration and it will just pick up my configured trust anchors.
I guess in this case, dnscheck --test=consistency would have spotted
More information about the Unbound-users