Domain does not validate
Tony Finch
dot at dotat.at
Thu May 27 21:00:08 UTC 2021
Rainer Duffner via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
> I have a setup where unbound is behind BIND 9.11 (due to RPZ handling).
>
> In this setup, unbound cannot resolve one particular domain: nkb.ch due to DNSSEC failure.
>
> However, BIND does correctly resolve the domain.
Well, dnsviz agrees with unbound that the zone's DS RRset doesn't match
its DNSKEY RRset. https://dnsviz.net/d/nkb.ch/dnssec/
It looks like your BIND upstream is not configured to validate (i.e. its
configuration lacks `dnssec-validate auto;`) because your logs say that
the response to unbound's nkb.ch DS query did not have the "ad"
(authenticated data) bit set.
So I think both BIND and Unbound are correct, but their cnofigurations
disagree about what is correct.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Malin, South Hebrides: Southeasterly 3 to 5, becoming variable 2 to 4.
Slight or moderate, occasionally rough at first in west. Rain. Good,
occasionally moderate.
More information about the Unbound-users
mailing list