[Unbound-users] Signed .de zone - temporary validation errors
Paul Wouters
paul at xelerance.com
Wed Mar 31 15:44:56 UTC 2010
On Wed, 31 Mar 2010, Roy Arends wrote:
>> stub-zone:
>> name: "de"
>> stub-addr: 81.91.161.228 # auth-fra.dnssec.denic.de
>> stub-addr: 2A02:568:0:1::53
>> stub-addr: 87.233.175.25 # auth-ams.dnssec.denic.de
>> stub-prime: no
>
> That server (81.91.161.228/87.233.175.25) will tell you that the actual nameservers for .de are [cls].de.net. and [afz].nic.de. Subsequently, the resolver asks one of these servers for an answer, and gets an unsigned delegation. Hence the validation failure.
>
> This is how it worked in the java version of unbound.
Isn't that why stub-prime: no is there (and the reason why this is so hard to do with
bind because it does not have the equivalent feature) ?
stub-prime: <yes or no>
This option is by default off. If enabled it performs NS set
priming, which is similar to root hints, where it starts using
the list of nameservers currently published by the zone. Thus,
if the hint list is slightly outdated, the resolver picks up a
correct list online.
Paul
More information about the Unbound-users
mailing list