nsec3 issue (sec_status_insecure) unbound 1.9.1

Stefan Kublinski kublinski at
Sun Apr 28 12:07:23 UTC 2019


I have an issue with unbound 1.9.1.

I am trying to get tlsa records from domain
but this fails with unbound. DNNSEC validation tools report no issues
with that domain though.

query: $ dig -t tlsa @::1 +dnssec
which yields NXDOMAIN and no tlsa records, but with Google Public DNS
$ dig -t tlsa @ +dnssec
I do get tlsa records with ad flag

Excerpt from unbound log:

Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info: validator
operate: query TLSA IN
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] debug: NameError
response failed nsec, nsec3 proof was sec_status_insecure
Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info:
validate(nxdomain): sec_status_insecure

But Google Public DNS and DNSSEC validation tools[1] have/report no
issues though.

[1] and

I have this issue with unbound 1.9.1 from Arch repo.

With unbound 1.9.0 from Debian testing repo it works just fine

So is this a bug with unbound 1.9.1 or do the others not validate properly?

Regards Stefan

More information about the Unbound-users mailing list