Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

Paul Wouters
Fri Sep 4 16:42:04 CEST 2009

On Fri, 4 Sep 2009, W.C.A. Wijngaards wrote:

> But I am thinking how to make this easier on other people that
> aren't as smart as you are to figure this out.   Or to make unbound
> smarter so it won't get into this trouble.  I don't know.

It's hard. We have the same issue with openswan where people can send
us a 'barf', a full debug file. It's fairly easy for me to spot most
problems within a few minutes. But for an inexperienced person it is
next to impossible. We had an automatic 'barf analyser' a long time
ago but it was only capable of finding the simple mistakes. With DNS,
and cache and TTL, this becomes even harder to automate.

You keep mentioning drill, but I find drill hard to use because I need
to give it trust anchors, where unbound-host I can run without any
new configuration and it will just pick up my configured trust anchors.

I guess in this case, dnscheck --test=consistency would have spotted
this one.