-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, Because you have DLV enabled and there is a DLV for cert.ru. Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: signer is <dlv.isc.org. TYPE0 CLASS0> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: FindKey <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: verify rrset <dlv.isc.org. NS IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validate(positive): sec_status_secure Jul 19 12:08:30 bofh unbound: [3519:1] info: validation success <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super, sub is <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns.cert.ru. A IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super, sub is <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <ns2.cert.ru. A IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super, sub is <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <cert.ru. NS IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator: inform_super, sub is <cert.ru.dlv.isc.org. DLV IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: super is <gost.cert.ru. NS IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <ns2.cert.ru. A IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru. DNSKEY IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <cert.ru. NS IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru. DNSKEY IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <ns.cert.ru. A IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru. DNSKEY IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <gost.cert.ru. NS IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: generate request <cert.ru. DNSKEY IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: validator operate: query <cert.ru. DNSKEY IN> Jul 19 12:08:30 bofh unbound: [3519:1] info: resolving <cert.ru. DNSKEY IN> Best regards, Wouter On 07/19/2010 06:13 PM, Paul Wouters wrote: > I did a compile test. I have openssl with gost, ldns 1.5.6rc1 with gost, > and unbound with gost compiled and installed. > > I had no trust anchors yet: > > [root at bofh devel]# grep trust-anchor /etc/unbound/unbound.conf |grep -v "#" > [root at bofh devel]# > > I am confused about this query: > > [root at bofh devel]# dig +dnssec -t ns gost.cert.ru. @localhost > ; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec -t ns > gost.cert.ru. @localhost > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11021 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1 > This shows the AD bit, and I am unsure why. There is no DS record, nor a > DLV record > for gost.cert.ru. And I did not configure a trust anchor for it yet. > > I've attached unbound.log with verbosity:4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxFTnUACgkQkDLqNwOhpPgTXQCfcu8qxDcYAi3dKtm2P/UasQqd OXEAnjsUQX/p7gPgFsR8XDy0PzkkERpn =9IW5 -----END PGP SIGNATURE-----