Maintained by: NLnet Labs

[Unbound-users] testing validation failure

Taylor R Campbell
Wed Mar 17 21:18:57 CET 2010


   Date: Wed, 17 Mar 2010 20:08:50 +0100
   From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>

   The issue is simply that dnssec-tools.org does not have a secure
   delegation from .org, the DS is not returned by the .org servers:
   dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec

Thanks.  I see that this is spelled out precisely in RFC 4033 in the
definitions of `insecure' and `bogus'.  If I put dnssec-tools.org's
DNSKEY among Unbound's trust anchors, I get SERVFAIL as expected.

   I would advise you to install a cron job to pull the anchors.mf and
   update it.  A script that does so and checks the PGP signature is in the
   unbound source tarball contrib/update-itar.sh :-)

Yep, I planned to do that once I got Unbound behaving as I expect.

   This makes sure that you have the latest trust anchors, otherwise they
   go stale and things stop working next year.

Next year?  Isn't the root zone supposed to be signed in July, at
which point the IANA ITAR will turn into a pumpkin?