Odd SERVFAIL at insecure delegation

T.Suzuki tss at reflection.co.jp
Wed Nov 4 02:02:23 UTC 2020


On Tue, 3 Nov 2020 15:59:20 -0500
Viktor Dukhovni via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> On Tue, Nov 03, 2020 at 02:39:19PM +0900, T.Suzuki wrote:
> 
> > 
> > Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
> > Insecure.mufj.jp is delegated to ns3.mufj.jp, 
> > but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
> > Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)
> > 
> > With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
> > BIND, Knot Resolver, PowerDNS Recursor return NOERROR.
> 
> One of the nameservers is returning bad data:
> 
>     https://dnsviz.net/d/insecure.mufj.jp/X6HDgw/dnssec/
> 
> This can lead to sporadic validation failures.

I know that. I set it up that way on purpose. 
The question is why Unbound does signature verification for insecure
delegation.

-- 
------------------------------------------------------------------------------
T.Suzuki 


More information about the Unbound-users mailing list