cannot resolv

A. Schulze sca at
Fri Aug 26 12:54:16 UTC 2016

W.C.A. Wijngaards via Unbound-users:

> The domain responds with a DNSSEC-signed NXDOMAIN for, and
> thus cannot exist.  With qname-minimisation unbound then
> stops.
> Qname minimisation in unbound assumes that dnssec signed domains will
> do their NXDOMAIN correctly.  (Note the replay possibility on that
> NSEC3 signed domain to its subdomains).  There are also various
> internet drafts (RFCs) in progress that say that nodes under an
> NXDOMAIN node do not exist.
> So, these people should fix their implementation.  It is not safe.
> Someone may remove their MX (mail server) addresses, and gain DNSSEC
> validity.  And could do that too with TLSA and claim it was unsecure
> (vis a vis TLSA mailserver security).

thanks for the explanation

> domain-insecure: "" and may be a suitable workaround.
that alone does not help. I now forward the domain to an other, less  
restrictive resolver.


More information about the Unbound-users mailing list