[Unbound-users] Signed .de zone - temporary validation errors
Peter Koch
pk at denic.de
Wed Mar 31 22:06:55 UTC 2010
On Wed, Mar 31, 2010 at 11:44:56AM -0400, Paul Wouters wrote:
> On Wed, 31 Mar 2010, Roy Arends wrote:
>
> >>stub-zone:
> >> name: "de"
> >> stub-addr: 81.91.161.228 # auth-fra.dnssec.denic.de
> >> stub-addr: 2A02:568:0:1::53
> >> stub-addr: 87.233.175.25 # auth-ams.dnssec.denic.de
> >> stub-prime: no
> >
> >That server (81.91.161.228/87.233.175.25) will tell you that the actual
> >nameservers for .de are [cls].de.net. and [afz].nic.de. Subsequently, the
> >resolver asks one of these servers for an answer, and gets an unsigned
> >delegation. Hence the validation failure.
[...]
> Isn't that why stub-prime: no is there (and the reason why this is so hard
> to do with
> bind because it does not have the equivalent feature) ?
yes, indeed. Unbound works "despite" the apex NS RRSet pointing to the
standard non-DNSSEC aware servers. But occasionally the OPT RR is
missing (the CD bit still set) and thus no RRSIGs are returned. I'm
prepared to set some traffic dumps up next week to get a more complete
picture.
-Peter
More information about the Unbound-users
mailing list