-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shahab Yassemi wrote: > Hi , > > would you please help me and tell why is this unsecure? I used 4 > -d for debug and here is the result : ( I added the key to trust > anchor in unbound.conf and dig returns servfail ) thanks a lot. The reason that unbound-host returns insecure is because you did not give unbound-host a trust anchor. dig returns servfail? That means the problem is not with unbound at all, but with the authority server - it gives servfail for DNSKEY lookups. > root at shahab-desktop:~# unbound-host -r -d -d -d -d com -v Can you load the trust anchor into unbound-host: unbound-host -r -d -d -d -d com -v -y "com. IN DNSKEY 257 3 5 AwEAAbf7W22wjbzQ25cp23q4Kp7QdEOUWiPm5kDVvE2kOUYCyFUI04oI EA2zs1i0jHfaTDxkEOQa810eqgBJQAuCyv0=" And then try again? It should print out the packet it got back when asking for the DNSKEY - just like the dig commandline. Paul told you to nsdc rebuild and then nsdc reload. Did you do that? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjjHFAACgkQkDLqNwOhpPirzACfabgxhiVvlg9yeOoibWAbbLRh ARwAoJhiAQCoVSP5GG0UO0aUQmp6sLIt =DnRb -----END PGP SIGNATURE-----