On Fri, 4 Sep 2009, W.C.A. Wijngaards wrote: > But I am thinking how to make this easier on other people that > aren't as smart as you are to figure this out. Or to make unbound > smarter so it won't get into this trouble. I don't know. It's hard. We have the same issue with openswan where people can send us a 'barf', a full debug file. It's fairly easy for me to spot most problems within a few minutes. But for an inexperienced person it is next to impossible. We had an automatic 'barf analyser' a long time ago but it was only capable of finding the simple mistakes. With DNS, and cache and TTL, this becomes even harder to automate. You keep mentioning drill, but I find drill hard to use because I need to give it trust anchors, where unbound-host I can run without any new configuration and it will just pick up my configured trust anchors. I guess in this case, dnscheck --test=consistency would have spotted this one. Paul