Odd SERVFAIL at insecure delegation
T.Suzuki
tss at reflection.co.jp
Wed Nov 4 02:02:23 UTC 2020
On Tue, 3 Nov 2020 15:59:20 -0500
Viktor Dukhovni via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> On Tue, Nov 03, 2020 at 02:39:19PM +0900, T.Suzuki wrote:
>
> >
> > Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
> > Insecure.mufj.jp is delegated to ns3.mufj.jp,
> > but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
> > Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)
> >
> > With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
> > BIND, Knot Resolver, PowerDNS Recursor return NOERROR.
>
> One of the nameservers is returning bad data:
>
> https://dnsviz.net/d/insecure.mufj.jp/X6HDgw/dnssec/
>
> This can lead to sporadic validation failures.
I know that. I set it up that way on purpose.
The question is why Unbound does signature verification for insecure
delegation.
--
------------------------------------------------------------------------------
T.Suzuki
More information about the Unbound-users
mailing list