wildcard dnssec test fails

Thu Dec 14 05:03:58 UTC 2017

On Thu, 14 Dec 2017, Sebastian Schmidt via Unbound-users wrote:

> I’ve unbound setup on FreeBSD 11.1 and I can’t figure out why "drill www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this (http://0skar.cz/dns/en) test site where it reports
> three failures (2a, 2b and 4). Any help would be appreciated.

It does not fail for me:

$ dig www.wilda.nsec.0skar.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.wilda.nsec.0skar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18098
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.wilda.nsec.0skar.cz.	IN	A

;; ANSWER SECTION:
www.wilda.nsec.0skar.cz. 300	IN	CNAME	flexi.oskarcz.net.
flexi.oskarcz.net.	3599	IN	A	85.239.227.179

Is your unbound configured to use another DNS as forwarder? There are
some older known bugs that fail in some corner cases with older
forwarders.

Paul