[Unbound-users] testing validation failure
wouter at NLnetLabs.nl
Wed Mar 17 19:08:50 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Thanks for enabling DNSSEC.
The issue is simply that dnssec-tools.org does not have a secure
delegation from .org, the DS is not returned by the .org servers:
dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec
I found this with unbound-host -vd which said (in lots of output):
info: Successfully primed trust anchor <ORG. DNSKEY IN>
info: NSEC3s for the referral proved no DS.
info: Verified that response is INSECURE
They presumably have a dlv entry, thus the dlv anchor works.
I would advise you to install a cron job to pull the anchors.mf and
update it. A script that does so and checks the PGP signature is in the
unbound source tarball contrib/update-itar.sh :-)
This makes sure that you have the latest trust anchors, otherwise they
go stale and things stop working next year.
On 03/17/2010 07:36 PM, Taylor R Campbell wrote:
> I am trying to make Unbound act as a recursive resolver that answers
> with and caches secure and insecure data, but not bogus data, using
> the IANA ITAR trust anchors. In particular, I want replies with the
> AD bit clear to mean that the relevant data are insecure, and I want
> the resolver to return an error when all it can find is bogus data.
> However, my attempts so far have been met with failure, so I assume I
> must be doing something wrong, and I should like to know how to do it
> I installed Unbound 1.4.2 (on a 32-bit machine not running Mac OS X or
> Solaris, so I haven't upgraded to 1.4.3) and ran it with the following
> Let me know if you would like to see log messages, or any other
> information about my configuration or tests.
> Unbound-users mailing list
> Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users