Validation failure signature crypto failed

Jac Backus j.backus at
Wed Jan 25 20:57:09 UTC 2017

Thanks, Casey, for the explanation.

I wondered if it was, because the zone was only signed partially. So it shows only the A record, because that is all that is signed. And the TXT record is not signed. 
But I suppose that may not even be possible.


-----Oorspronkelijk bericht-----
Van: Casey Deccio [mailto:casey at] 
Verzonden: woensdag 25 januari 2017 20:19
Aan: Jac Backus
CC: A. Schulze; unbound-users at
Onderwerp: Re: Validation failure signature crypto failed

> On Jan 25, 2017, at 3:35 AM, Jac Backus via Unbound-users <unbound-users at> wrote:
> Why does dnsviz not show the TXT record without selecting it in Advanced?

It was simply a choice of efficiency.  By default queries for MX, TXT, NS, and SOA are only issued if the name is a zone apex because it is more common to see those records at a zone apex.  It would be a bit slower and require more storage to keep track of the less common case.  The option of specifying TXT (and others) allows some flexibility beyond the defaults.


More information about the Unbound-users mailing list