Domain does not validate

Tony Finch dot at
Thu May 27 21:00:08 UTC 2021

Rainer Duffner via Unbound-users <unbound-users at> wrote:
> I have a setup where unbound is behind BIND 9.11 (due to RPZ handling).
> In this setup, unbound cannot resolve one particular domain: due to DNSSEC failure.
> However, BIND does correctly resolve the domain.

Well, dnsviz agrees with unbound that the zone's DS RRset doesn't match
its DNSKEY RRset.

It looks like your BIND upstream is not configured to validate (i.e. its
configuration lacks `dnssec-validate auto;`) because your logs say that
the response to unbound's DS query did not have the "ad"
(authenticated data) bit set.

So I think both BIND and Unbound are correct, but their cnofigurations
disagree about what is correct.

f.anthony.n.finch  <dot at>
Malin, South Hebrides: Southeasterly 3 to 5, becoming variable 2 to 4.
Slight or moderate, occasionally rough at first in west. Rain. Good,
occasionally moderate.

More information about the Unbound-users mailing list