[Unbound-users] Signed .de zone - temporary validation errors
Paul Wouters
paul at xelerance.com
Wed Mar 31 13:43:31 UTC 2010
On Wed, 31 Mar 2010, Bernhard Schmidt wrote:
> It occasionally happens after about one to two weeks of uptime that I cannot
> query any .de domain anymore. All of the sudden the log is full of validation
> errors
> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor --
> DNSKEY rrset is not secure <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor --
> could not fetch DNSKEY rrset <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
>
> The process has been running untouched since March 21st.
>
> I raised this on the DENIC ml. Peter Koch told me that he sees queries from
> my IP address without the OPT-RR (so no EDNS and no DO) during that
> timeframe. Which would of course mean that Unbound would not get any DNSSEC
> records, so complaining is a good plan indeed.
Did you check the ntp/clock settings on the machines involved?
You might need to add a lot of verbosity to get more logs out of unbound. Or
if you still have that instance, running, use unbound-remote to dump the cache
to a file and we might be able to get more information out of it.
Paul
More information about the Unbound-users
mailing list