wildcard dnssec test fails
Sebastian Schmidt
publicarray at posteo.net
Fri Dec 15 09:19:33 UTC 2017
On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users (unbound-users at unbound.net) wrote:
When I run unbound-host, I get no errors,
./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz -f
root.key -v -t A
www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz has address
85.239.227.179 (secure)
Unbound performs serial arithmatic on the timestamps in the rrsig,
according to RFC.
(What does that mean? The timestamps are 32bit in the RRSIG, but the
value is interpreted relative to the current date. And what you cannot
do is express something like a point more than some number of years
future or past.)
Best regards, Wouter
Hello Wouter,
Thanks for the insight. Maybe this has something to with the platform?
CentOS 6.9:
$ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
flexi.oskarcz.net has address 85.239.227.179 (secure)
MacOS 10.13.2 (High Sierra):
$ unbound-host -v -t A -f /usr/local/etc/unbound/root.key www.wilda.nsec.0skar.cz
www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS (security failure))
flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 85.239.227.179 for key nsec.0skar.cz. while building chain of trust
FreeBSD 11.1:
$ unbound-host -v -f /usr/local/etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS (security failure))
flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain of trust
Kind Regards
Sebastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171215/eeed6beb/attachment.htm>
More information about the Unbound-users
mailing list