Hi Paul, Can you give me the unbound-host commandline you used? Unbound host is supposed to print (bogus security failure) for expired rrsigs. It only does so when -v is passed, otherwise it'll print bogus data as output though. Is this a user interface issue? Best regards, Wouter Paul Wouters wrote: > > Hi, > > I just ran into an issue where I could not resolve dnsops.biz. After some > investigation, it seems unbound was right. The RRSIG records expired 4 > days ago. > > dnsops.biz. 3600 IN RRSIG DNSKEY 5 2 3600 20090725124034 > 20090625124034 43287 dnsops.biz. > SPUrR6Wb2UMt6NQTf6g6dodYvg7Rn1AfZi1eSKZqV/PVwGnYQIC1OILI > qLjejtL/A32bfgdaSvhS2MAsM9RK33zaAba5Rho+U0m2X4X0Ua6XqrK0 > A8Hmi9lL2WsE2lhymqjWgbUAnusmgPi727yXTj9Pm2GIlEkAu2/kyJh+ > w7xjs8BCL/LzZO/bfzgiK80olvneQC+ilycxwGKg8EUCq3s2Ec1D3gon > 3JywyTkuWbSMLaMcbf6EXze8EaVeSvlVWYSALBjDOF4gkoegtcyL+zy8 > 15KR8czTQk14GkS7z1NrZCfwoMU3bbZXrVHvzY1EHwNDdnXD0ii6FMex pVN28A== > > I took me a little while to figure this out, as "unbound-host" would > happilly return the record, without any indication of a problem, while > the unbound daemon itself would only do so with the CD bit set. > > It was even more confusing as our DNSX Resolver has the key for dnsops.biz > loaded, and the answer unbound-host gave was "(insecure)". In fact, > it should say it was "(expired)" or "(invalid)" or something. It is > clearly not "just" insecure when the configuration has a DNSKEY loaded, > which signature expired. > > Anyway, it at least explains the error I was seeing for > xelerance.dnsops.biz. > > Paul > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users