[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)

Ondrej Mikle ondrej.mikle at nic.cz
Thu Jan 3 13:08:12 UTC 2013

On 01/03/2013 09:01 AM, W.C.A. Wijngaards wrote:
> On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
>>> The machine at that sets the AD flag for optout
>>> NSEC3 NXDOMAIN fails to implement RFC5155.
>> I've just asked admins today and the machine runs
>> unbound 1.4.6-1 from Ubuntu Lucid.
> So, it is a bug in an older version of unbound, which has already been
> fixed (ii)?  Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
> section 9.2: no AD flag for replies with NSEC3 optout.

Thanks, this is likely the reason I remember the validation "working". I went
through some of older recorded scans of .com from May and the .com NSEC3s were
'insecure' back then, too. I'd guess it will be the same with .net TLD.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20130103/f9b555e3/attachment.bin>

More information about the Unbound-users mailing list