Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Paul Wouters
Wed Mar 31 15:43:31 CEST 2010


On Wed, 31 Mar 2010, Bernhard Schmidt wrote:

> It occasionally happens after about one to two weeks of uptime that I cannot 
> query any .de domain anymore. All of the sudden the log is full of validation 
> errors

> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- 
> DNSKEY rrset is not secure <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- 
> could not fetch DNSKEY rrset <de. DNSKEY IN>
> Mar 30 21:06:10 svr01 last message repeated 2 times
>
> The process has been running untouched since March 21st.
>
> I raised this on the DENIC ml. Peter Koch told me that he sees queries from 
> my IP address without the OPT-RR (so no EDNS and no DO) during that 
> timeframe. Which would of course mean that Unbound would not get any DNSSEC 
> records, so complaining is a good plan indeed.

Did you check the ntp/clock settings on the machines involved?

You might need to add a lot of verbosity to get more logs out of unbound. Or
if you still have that instance, running, use unbound-remote to dump the cache
to a file and we might be able to get more information out of it.

Paul