[Unbound-users] dnssec stripping not resulting in serv fail?
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Mon Jan 10 13:40:11 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
On 01/10/2011 02:26 PM, Paul Wouters wrote:
> There was nothing that servfailed, that was the point.
Yes, of course.
> Yes, I digged specifically for xelerance.org
It looks like unbound acted as if it was not configured with a trust
anchor, it did not try to prime its trust anchor, for example.
If you start unbound with verbosity 4 (-vvvv) it prints the trust
anchors and root hints as it is starting.
You can also examine what unbound thinks is configured with
unbound-checkconf -o auto-trust-anchor-file
and unbound-control get_option auto-trust-anchor-file
(or, dlv-anchor-file, or trust-anchor-file, or trust-anchor).
> no. It was Fedora Linux, resolv.conf not used at all
ok
> I might have made some unbound-control command errors. I don't remember.
Yeah, maybe it you killed it before the TLS init succeeded.
> It just had the root key.
Weird, it does not act like it has one. I do see it go into the
validator, but then does not act like there is a root key. Or as if you
had domain-insecure: xelerance.org configured.
> Yes, I had some syntax errors before i finally had the syntax right :)
Sorry about that :-)
> I grepped for "unbound". I'll check the logs and see if some lines do not
> contain that string.
unlikely to be there, it logs with 'unbound:' all the time. But thanks
for looking.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0rDDsACgkQkDLqNwOhpPj26ACfdcRUK3YgINIt8QPj4yM7YWce
8hgAnjamjvoBrjQtW8gNQFZOlTViWvwU
=PGQO
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list