[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)
ondrej.mikle at nic.cz
Thu Jan 3 13:08:12 UTC 2013
On 01/03/2013 09:01 AM, W.C.A. Wijngaards wrote:
> On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
>>> The machine at 126.96.36.199 that sets the AD flag for optout
>>> NSEC3 NXDOMAIN fails to implement RFC5155.
>> I've just asked admins today and the 188.8.131.52 machine runs
>> unbound 1.4.6-1 from Ubuntu Lucid.
> So, it is a bug in an older version of unbound, which has already been
> fixed (ii)? Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
> section 9.2: no AD flag for replies with NSEC3 optout.
Thanks, this is likely the reason I remember the validation "working". I went
through some of older recorded scans of .com from May and the .com NSEC3s were
'insecure' back then, too. I'd guess it will be the same with .net TLD.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users