Maintained by: NLnet Labs

[Unbound-users] unbound servfail

Wouter Wijngaards
Tue Sep 30 09:42:23 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Shahab,

So, you can resolve, but no DNSSEC.

> [1222713721] libunbound[27451:0] info: validate keys with
> anchor(DNSKEY): sec_status_bogus
> [1222713721] libunbound[27451:0] info: failed to prime trust anchor --
> could not fetch secure DNSKEY rrset <com. DNSKEY IN>
> [1222713721] libunbound[27451:0] info: Could not establish validation
> of INSECURE status of unsigned response.
> com has address 192.168.1.2 (BOGUS (security failure))

So your server does not serve a signed zone.  If you
dig @192.168.1.2 com. DNSKEY +dnssec

It should return DNSKEY and RRSIG records. The logs above tell me that
RRSIGs are missing.  Perhaps also the DNSKEY RRset is missing.

If you use NSD - did you put the zone file 'com.signed' in the config?
(not just "com").
If you use BIND - did you enable the dnssec options and load a signed zone?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjh2F8ACgkQkDLqNwOhpPhW6QCgrP5tftnogIE7Q3jrpBQ28inN
rUYAoKU+hxHhAgZ4p6Kp63J4wCXqLd0O
=NFbE
-----END PGP SIGNATURE-----