Maintained by: NLnet Labs

[Unbound-users] 8.8.8.8

Paul Wouters
Sun Jun 27 17:52:28 CEST 2010


On Sun, 27 Jun 2010, Papp Tamás wrote:

> So I've juest tested it bit, and this option is the problem:
>
> dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"

It seems google's DNS does not understand DLV records:

dig +norecur -t dlv isc.org.dlv.isc.org @8.8.8.8

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63442
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;isc.org.dlv.isc.org.		IN	DLV

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 27 11:48:35 2010
;; MSG SIZE  rcvd: 37

So you cannot use google as forwarding while using DLV.

> BTW, what does stub-prime exactly do? I'm afraid, it's not clear to me, what 
> does "it performs NS set priming" mean?

It is used when you want to "override" the real NS set and do the lookup of
a zone via nameservers that are not in the "official zone".

For example, to reach the Canadian testbed for DNSSEC, which runs a signed
shadow tree for the entire .ca zone, you would use:

stub-zone:
 	name:"ca."
 	stub-prime:"no"
 	stub-addr:192.228.22.190
 	stub-addr:192.228.22.189

Now instead of using the NS records in the root zone that point to ca. unbound
will use these two addresses instead.

Paul