Maintained by: NLnet Labs

[Unbound-users] testing validation failure

W.C.A. Wijngaards
Wed Mar 17 20:08:50 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Taylor,

Thanks for enabling DNSSEC.

The issue is simply that dnssec-tools.org does not have a secure
delegation from .org, the DS is not returned by the .org servers:
dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec

I found this with unbound-host -vd which said (in lots of output):
info: Successfully primed trust anchor <ORG. DNSKEY IN>
info: NSEC3s for the referral proved no DS.
info: Verified that response is INSECURE

They presumably have a dlv entry, thus the dlv anchor works.

I would advise you to install a cron job to pull the anchors.mf and
update it.  A script that does so and checks the PGP signature is in the
unbound source tarball contrib/update-itar.sh :-)

This makes sure that you have the latest trust anchors, otherwise they
go stale and things stop working next year.

Best regards,
   Wouter


On 03/17/2010 07:36 PM, Taylor R Campbell wrote:
> I am trying to make Unbound act as a recursive resolver that answers
> with and caches secure and insecure data, but not bogus data, using
> the IANA ITAR trust anchors.  In particular, I want replies with the
> AD bit clear to mean that the relevant data are insecure, and I want
> the resolver to return an error when all it can find is bogus data.
> However, my attempts so far have been met with failure, so I assume I
> must be doing something wrong, and I should like to know how to do it
> right.
> 
> I installed Unbound 1.4.2 (on a 32-bit machine not running Mac OS X or
> Solaris, so I haven't upgraded to 1.4.3) and ran it with the following
> configuration:

> Let me know if you would like to see log messages, or any other
> information about my configuration or tests.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkuhKMIACgkQkDLqNwOhpPhaVACfRy/JkH6CO2YU+zLI1RoR+RZ9
g6IAnAgmTb2oBSzxs8jM8p7SyIHqXb1B
=zHKJ
-----END PGP SIGNATURE-----