Maintained by: NLnet Labs

[Unbound-users] Error validating mx.smtp.cz

Ondřej Surý
Thu Oct 23 11:03:35 CEST 2008


Hi,

I got report from one of our registrars, that there is a problem
with validating mx.smtp.cz, which validates just fine on bind9.

[1224510842] unbound[30691:0] info: super is <mx.smtp.cz. A IN>
[1224510842] unbound[30691:0] debug: attempt DS match algo 5 keytag 28371
[1224510842] unbound[30691:0] debug: DS match digest ok, trying signature
[1224510842] unbound[30691:0] debug: verify: wrong key for rrsig
[1224510842] unbound[30691:0] debug: rrset failed to verify: all
signatures are bogus
[1224510842] unbound[30691:0] debug: Failed to match any usable DS to a DNSKEY.
[1224510842] unbound[30691:0] info: Did not match a DS to a DNSKEY, thus bogus.
[1224510842] unbound[30691:0] debug: validator[module 0] operate:
extstate:module_wait_subquery event:module_event_pass
[1224510842] unbound[30691:0] info: validator operate: query <mx.smtp.cz. A IN>
[1224510842] unbound[30691:0] debug: val handle processing q with
state VAL_VALIDATE_STATE
[1224510842] unbound[30691:0] info: Could not establish a chain of
trust to keys for <smtp.cz. DNSKEY IN>
[1224510842] unbound[30691:0] debug: val handle processing q with
state VAL_FINISHED_STATE
[1224510842] unbound[30691:0] debug: mesh_run: validator module exit
state is module_finished

and

[1224661793] unbound[11166:0] debug: attempt DS match algo 5 keytag 28371
[1224661793] unbound[11166:0] debug: DS match digest ok, trying signature
[1224661793] unbound[11166:0] debug: verify: wrong key for rrsig

They tried last SVN and still without success.  Wouter, could you take
a look at this?  I manually checked if everything is OK and it looks ok
for my plain sight.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>