[Unbound-users] Setting Unbound as validating resolver for stub zones

Sebastian Castro sebastian at nzrs.net.nz
Wed Feb 23 10:06:23 UTC 2011

On 02/23/2011 08:02 PM, W.C.A. Wijngaards wrote:
> Hi Sebastian,

Hi Wouter,

Your indications helped and now works, thanks. Just a quick note below.

>> stub-zone:
>> 	name: "parent"
>> 	stub-addr: A.B.C.D at 53
>> 	stub-prime: no
> Here needs to be another stub-zone: line to start another stub-zone.

Shouldn't unbound check for the correct syntax of the configuration
file? In this case is correct, but ambiguous.

>> 	name: "child1.parent"
>> 	stub-addr: A.B.C.D at 53
>> 	stub-prime: no
>> A.B.C.D is serving a signed zone for parent and child1.parent with valid
>> data (sig chasing with dig or drill works).
>> If I try querying Unbound for <SOA, parent>, I get an answer but no AD bit.
> You have to use +dnssec to get the AD bit on the reply.  If the
> signature failed you would not get a reply, so I think it validated.

What a newbie! How I missed that... thanks!

> Best regards,
>    Wouter

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Unbound-users mailing list