[Unbound-users] testing validation failure
Taylor R Campbell
campbell+unbound at mumble.net
Wed Mar 17 20:18:57 UTC 2010
Date: Wed, 17 Mar 2010 20:08:50 +0100
From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>
The issue is simply that dnssec-tools.org does not have a secure
delegation from .org, the DS is not returned by the .org servers:
dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec
Thanks. I see that this is spelled out precisely in RFC 4033 in the
definitions of `insecure' and `bogus'. If I put dnssec-tools.org's
DNSKEY among Unbound's trust anchors, I get SERVFAIL as expected.
I would advise you to install a cron job to pull the anchors.mf and
update it. A script that does so and checks the PGP signature is in the
unbound source tarball contrib/update-itar.sh :-)
Yep, I planned to do that once I got Unbound behaving as I expect.
This makes sure that you have the latest trust anchors, otherwise they
go stale and things stop working next year.
Next year? Isn't the root zone supposed to be signed in July, at
which point the IANA ITAR will turn into a pumpkin?
More information about the Unbound-users
mailing list