Maintained by: NLnet Labs

[Unbound-users] .PR servfails with Unbound but not with BIND

Stephane Bortzmeyer
Thu Sep 10 12:15:00 CEST 2009

On Wed, Sep 09, 2009 at 03:38:56PM +0200,
 Ond?ej Surý <ondrej at> wrote 
 a message of 41 lines which said:

> I would rather say that .PR is at fault here.

I remember that they had expired signatures in the zone at a time. But
my point is not here: sure, some TLD perform better than others. But,
with regular DNS, you have to work really hard to completely break the
resolution process. With DNSSEC, it is the opposite, you have to be
very good to make things work. 

Activating DNSSEC validation mean switching from "it will work most of
the time" to "it will work only when everything is OK". I'm not sure
that many people are ready to go this way.