[Unbound-users] Can't find domainname
wouter at nlnetlabs.nl
Wed Aug 22 12:46:13 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 08/22/2012 01:45 PM, Michiel Piscaer wrote:
> We can't reach the domainname gruintjes.nl, when we look into the
> logging with verbosity: 2 we got the following messages:
val-log-level: 2 shows a detailed error, here
validation failure <gruintjes.nl. A IN>: No DNSKEY record from
126.96.36.199 for key gruintjes.nl. while building chain of trust
> We are using unbound version 1.4.16.
> When we snif the packet we do not see any problems except that the
> nameservers ns1.hix.nl and ns2.hix.nl are mentioned 8 times in the
> additional section, also the nameserver ns-3.eu. is not
There is a gruintjes.nl DS record, but the nameservers do not have any
DNSSEC information at all. I should say, the answers that I got did
not contain any DNSSEC, some imposter must have removed them and
therefore it is considered false information. But I surmise that this
is a configuration problem of gruintjes.nl : enabled DNSSEC with a DS
record in the parent but does have DNSSEC records in the zone.
> But I do not think that this would be the problem.
> So I can't find the solution on this problem?
Can you get "hix.nl" to sign gruintjes.nl (they must have this planned
since there is a DS record). Or remove the DS record.
Normally, you first sign the domain, then publish the DNSSEC records,
and only then put the DS up.
(to make your life happier, if you decide to remove the DS record, the
domain name will likely start to work very quickly (with a much lower
TTL than usual): because of the DNSSEC-bogus indication, unbound keeps
fetching fresh data for this name frequently (BIND has similar
If you have no way to engage with hix or mr.gruintjes, then there is
the config option domain-insecure: "gruintjes.nl" that would instruct
unbound to ignore DNSSEC for the domain name.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users