[Unbound-users] dfas.mil DNSSEC Failure

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 28 14:24:31 UTC 2013

On 28/06/13 15:20, Phil Mayers wrote:
> On 28/06/13 14:47, Ehren Hawks wrote:
>> Their Unbound server fails just as mine do, but their BIND server
>> returns the A record. I’m reluctant to disable DNSSEC validation over
>> this one domain, considering there appears to be an actual problem.
>> Considering BIND as well as Google’s public DNS are validating this site
>> OK I figured it was worth bringing up.
>> Any feedback is appreciated!
> It's working for me from here (bind 9.9, DNSSEC-validating). They might
> have fixed it - try flushing your cache or restarting unbound.

Just to add, it looks like they may have moved to NSEC3 recently. I've 
seen big problems when sites do this - lots of people seem to forget 
that changing key algorithms is a KSK rollover and comes with very tight 
TTL constraints; I note the TTLs on the DNSKEY in-zone are 86400. I bet 
they got over-keen and resigned too quickly.

More information about the Unbound-users mailing list