Paul Wouters paul at xelerance.com
Sun Jun 27 15:52:28 UTC 2010

On Sun, 27 Jun 2010, Papp Tamás wrote:

> So I've juest tested it bit, and this option is the problem:
> dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"

It seems google's DNS does not understand DLV records:

dig +norecur -t dlv isc.org.dlv.isc.org @

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63442
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;isc.org.dlv.isc.org.		IN	DLV

;; Query time: 44 msec
;; WHEN: Sun Jun 27 11:48:35 2010
;; MSG SIZE  rcvd: 37

So you cannot use google as forwarding while using DLV.

> BTW, what does stub-prime exactly do? I'm afraid, it's not clear to me, what 
> does "it performs NS set priming" mean?

It is used when you want to "override" the real NS set and do the lookup of
a zone via nameservers that are not in the "official zone".

For example, to reach the Canadian testbed for DNSSEC, which runs a signed
shadow tree for the entire .ca zone, you would use:


Now instead of using the NS records in the root zone that point to ca. unbound
will use these two addresses instead.


More information about the Unbound-users mailing list