[Unbound-users] Strange validation failures for some wildcard CNAMEs

Ondřej Caletka ondrej at caletka.cz
Mon Sep 22 10:58:23 UTC 2014

Dne 17.9.2014 16:05, Ondřej Caletka napsal(a):
> Hi,
> I'm having an issue with validating particular domain names:
> $ dig _25._tcp.mail.relia-pc.cz tlsa
> $ dig _443._tcp.kinderporno.cz tlsa
>  - validates with BIND, fails with Unbound 1.4.21
>  - unbound-host says that cname proof failed
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.

Hello again,

I think I've found answer in DANE WG ML:

Looks like the issue is actually caused by bad wildcard DNSSEC
processing in djbdns.

Thanks for help.

Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140922/8bae1a20/attachment.bin>

More information about the Unbound-users mailing list