Maintained by: NLnet Labs

[Unbound-users] unbound servfail

Shahab Yassemi
Tue Sep 30 07:49:14 CEST 2008


Hi ,

  I see my com zone on the other system , but I cannot configure
dnssec , and when I add the
trust anchor then my dig return servfail , my config file is like this
( I am sure that the DNSKEY is right )
:

server:
       verbosity: 4
       interface: 0.0.0.0
       port: 53
       do-ip4: yes
       do-ip6: yes
       do-udp: yes
       do-tcp: yes
       do-daemonize: yes
       access-control: 0.0.0.0/0 allow
       #access-control: 0.0.0.0/0 refuse
       #access-control: 127.0.0.0/8 allow
       trust-anchor: "com. IN DNSKEY 257 3 5
AwEAAbf7W22wjbzQ25cp23q4Kp7QdEOUWiPm5kDVvE2kOUYCyFUI04oI
EA2zs1i0jHfaTDxkEOQa810eqgBJQAuCyv0="

       #trust-anchor-file: "/var/unbound/Kcom.db.+005+56464.key"
       #trust-anchor-file: "/var/unbound/Kcom.db.+005+12993.key"
       chroot: "/var/unbound"
       username: "unbound"
       directory: "/var/unbound"
       use-syslog: yes
       pidfile: "/var/run/unbound.pid"
       root-hints: "/var/unbound/named.cache"
       stub-zone:
               name: "com"
               stub-addr: 192.168.1.2




and it's the response of unbound-host : ( -d -v -r -f with the ksk address )

[1222713721] libunbound[27451:0] notice: init module 0: validator
[1222713721] libunbound[27451:0] notice: init module 1: iterator
[1222713721] libunbound[27451:0] info: resolving <com. A IN>
[1222713721] libunbound[27451:0] info: response for <com. A IN>
[1222713721] libunbound[27451:0] info: reply from <.> 192.168.1.3#53
[1222713721] libunbound[27451:0] info: query response was ANSWER
[1222713721] libunbound[27451:0] info: prime trust anchor
[1222713721] libunbound[27451:0] info: resolving <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: response for <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: reply from <.> 192.168.1.3#53
[1222713721] libunbound[27451:0] info: query response was ANSWER
[1222713721] libunbound[27451:0] info: validate keys with
anchor(DNSKEY): sec_status_bogus
[1222713721] libunbound[27451:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: Could not establish validation
of INSECURE status of unsigned response.
com has address 192.168.1.2 (BOGUS (security failure))
[1222713721] libunbound[27451:0] info: resolving <com. AAAA IN>
[1222713721] libunbound[27451:0] info: response for <com. AAAA IN>
[1222713721] libunbound[27451:0] info: reply from <.> 192.168.1.3#53
[1222713721] libunbound[27451:0] info: query response was ANSWER
[1222713721] libunbound[27451:0] info: prime trust anchor
[1222713721] libunbound[27451:0] info: resolving <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: validate keys with
anchor(DNSKEY): sec_status_bogus
[1222713721] libunbound[27451:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: Could not establish validation
of INSECURE status of unsigned response.
com has no IPv6 address (BOGUS (security failure))
[1222713721] libunbound[27451:0] info: resolving <com. MX IN>
[1222713721] libunbound[27451:0] info: response for <com. MX IN>
[1222713721] libunbound[27451:0] info: reply from <.> 192.168.1.3#53
[1222713721] libunbound[27451:0] info: query response was ANSWER
[1222713721] libunbound[27451:0] info: prime trust anchor
[1222713721] libunbound[27451:0] info: resolving <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: validate keys with
anchor(DNSKEY): sec_status_bogus
[1222713721] libunbound[27451:0] info: failed to prime trust anchor --
could not fetch secure DNSKEY rrset <com. DNSKEY IN>
[1222713721] libunbound[27451:0] info: Could not establish validation
of INSECURE status of unsigned response.
com mail is handled by 10 shahab.com. (BOGUS (security failure))



thank you very much.