Maintained by: NLnet Labs

[Unbound-users] testing validation failure

Taylor R Campbell
Wed Mar 17 19:36:38 CET 2010

I am trying to make Unbound act as a recursive resolver that answers
with and caches secure and insecure data, but not bogus data, using
the IANA ITAR trust anchors.  In particular, I want replies with the
AD bit clear to mean that the relevant data are insecure, and I want
the resolver to return an error when all it can find is bogus data.
However, my attempts so far have been met with failure, so I assume I
must be doing something wrong, and I should like to know how to do it

I installed Unbound 1.4.2 (on a 32-bit machine not running Mac OS X or
Solaris, so I haven't upgraded to 1.4.3) and ran it with the following

        verbosity: 1
        interface: ::0
        do-daemonize: no
        access-control: allow
        access-control: ::0/0 allow
        chroot: "/var/chroot/unbound"
        directory: ""
        logfile: ""
        use-syslog: no
        log-time-ascii: yes
        pidfile: "/var/run/"
        root-hints: "named.cache"
        do-not-query-localhost: yes
        trust-anchor-file: ""
        val-log-level: 1

named.cache is from <>, as of
2010-03-10. is from <>, as of

Both files are in /var/chroot/unbound.  unbound-checkconf is happy
with my configuration file.

When I query Unbound for's A record,
it happily hands back an A record, even though the authoritative
nameserver gives a bad signature:

% dig @localhost. a 
% drill @localhost. a
;; ANSWER SECTION:        86386   IN      A

I want Unbound to give an error in this case, not simply an answer
with the AD bit clear.

If I replace

	trust-anchor-file: ""


	dlv-anchor-file: ""

then I get back SERVFAIL as I expected. is from
<>, as of 2010-03-10, and is
also stored in /var/chroot/unbound.

Let me know if you would like to see log messages, or any other
information about my configuration or tests.