-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Taylor, Thanks for enabling DNSSEC. The issue is simply that dnssec-tools.org does not have a secure delegation from .org, the DS is not returned by the .org servers: dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec I found this with unbound-host -vd which said (in lots of output): info: Successfully primed trust anchor <ORG. DNSKEY IN> info: NSEC3s for the referral proved no DS. info: Verified that response is INSECURE They presumably have a dlv entry, thus the dlv anchor works. I would advise you to install a cron job to pull the anchors.mf and update it. A script that does so and checks the PGP signature is in the unbound source tarball contrib/update-itar.sh :-) This makes sure that you have the latest trust anchors, otherwise they go stale and things stop working next year. Best regards, Wouter On 03/17/2010 07:36 PM, Taylor R Campbell wrote: > I am trying to make Unbound act as a recursive resolver that answers > with and caches secure and insecure data, but not bogus data, using > the IANA ITAR trust anchors. In particular, I want replies with the > AD bit clear to mean that the relevant data are insecure, and I want > the resolver to return an error when all it can find is bogus data. > However, my attempts so far have been met with failure, so I assume I > must be doing something wrong, and I should like to know how to do it > right. > > I installed Unbound 1.4.2 (on a 32-bit machine not running Mac OS X or > Solaris, so I haven't upgraded to 1.4.3) and ran it with the following > configuration: > Let me know if you would like to see log messages, or any other > information about my configuration or tests. > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuhKMIACgkQkDLqNwOhpPhaVACfRy/JkH6CO2YU+zLI1RoR+RZ9 g6IAnAgmTb2oBSzxs8jM8p7SyIHqXb1B =zHKJ -----END PGP SIGNATURE-----