Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Peter Koch
Thu Apr 1 00:06:55 CEST 2010


On Wed, Mar 31, 2010 at 11:44:56AM -0400, Paul Wouters wrote:
> On Wed, 31 Mar 2010, Roy Arends wrote:
> 
> >>stub-zone:
> >>       name: "de"
> >>	stub-addr: 81.91.161.228	# auth-fra.dnssec.denic.de
> >>	stub-addr: 2A02:568:0:1::53
> >>	stub-addr: 87.233.175.25	# auth-ams.dnssec.denic.de
> >>	stub-prime: no
> >
> >That server (81.91.161.228/87.233.175.25) will tell you that the actual 
> >nameservers for .de are [cls].de.net. and [afz].nic.de. Subsequently, the 
> >resolver asks one of these servers for an answer, and gets an unsigned 
> >delegation. Hence the validation failure.

[...]
> Isn't that why stub-prime: no is there (and the reason why this is so hard 
> to do with
> bind because it does not have the equivalent feature) ?

yes, indeed.  Unbound works "despite" the apex NS RRSet pointing to the
standard non-DNSSEC aware servers.  But occasionally the OPT RR is
missing (the CD bit still set) and thus no RRSIGs are returned.  I'm
prepared to set some traffic dumps up next week to get a more complete
picture.

-Peter