Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

Paul Wouters
Wed Jul 1 18:46:01 CEST 2009


On Wed, 1 Jul 2009, Harish Chandra wrote:

> Without DNSSec, forwarding is working fine. With DNSSec enabled (I am
> using DLV), forwarding fails when I forward my querries to a server that
> isn't dnssec enabled.
>  The output from the log looks like this:

> [1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org.. DNSKEY IN>
> [1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack
> of signatures

Are you running trunk? There is a bug upto 1.3.0 that caused DLV to
fail.

> The failure appears because of a signature mismatch. But why is
> validation taking place when the actual resolver can't talk dnssec? My
> config file looks like this:

It should fall back to non-secure. If your forwarder changes again to one
that does relay dnssec information, unbound drops the cache and uses the
validator again (If I understood Wouter correctly, I have not verified
this myself)

Paul