[Unbound-users] .PR servfails with Unbound but not with BIND

Michael Graff mgraff at isc.org
Wed Sep 9 16:26:08 UTC 2009

Hash: SHA1

Not to follow up my own post, but I'd like to point out that .pr is not
the only problem in TAR-space right now.

- From the ARIN TAR import:

Fetching DNSKEYS from DNS for 171.in-addr.arpa
Unused DS for 171.in-addr.arpa, type RSASHA1/SHA-1, tag 54333

Fetching DNSKEYS from DNS for 153.in-addr.arpa
Unused DS for 153.in-addr.arpa, type RSASHA1/SHA-1, tag 35994

Fetching DNSKEYS from DNS for 154.in-addr.arpa
Unused DS for 154.in-addr.arpa, type RSASHA1/SHA-1, tag 49773

What this script does is compare data from three sources:  what is
currently in ISC's DLV, what is in the TAR, and what is in the zone.
ISC's DLV will attempt to match the TAR's data:  if a key is removed
from the TAR, we will remove it from DLV regardless if it is still in
the zone.  We will attempt to add any new keys we find DS records for in
the TAR, if they exist in the zone.

In this case, I believe these three domains were delegated away from
ARIN, but they (and DS records) are still present in the ARIN TAR.

In this case, anyone who has a tar-import script would reject any data
from those domains, since the trusted-key would be configured, yet it is
not correct.

- --Michael

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list