Maintained by: NLnet Labs

[Unbound-users] Signed .de zone - temporary validation errors

Paul Wouters
Wed Mar 31 17:44:56 CEST 2010


On Wed, 31 Mar 2010, Roy Arends wrote:

>> stub-zone:
>>        name: "de"
>> 	stub-addr: 81.91.161.228	# auth-fra.dnssec.denic.de
>> 	stub-addr: 2A02:568:0:1::53
>> 	stub-addr: 87.233.175.25	# auth-ams.dnssec.denic.de
>> 	stub-prime: no
>
> That server (81.91.161.228/87.233.175.25) will tell you that the actual nameservers for .de are [cls].de.net. and [afz].nic.de. Subsequently, the resolver asks one of these servers for an answer, and gets an unsigned delegation. Hence the validation failure.
>
> This is how it worked in the java version of unbound.

Isn't that why stub-prime: no is there (and the reason why this is so hard to do with
bind because it does not have the equivalent feature) ?

        stub-prime: <yes or no>
               This  option  is  by default off.  If enabled it performs NS set
               priming, which is similar to root hints, where it  starts  using
               the  list of nameservers currently published by the zone.  Thus,
               if the hint list is slightly outdated, the resolver picks  up  a
               correct list online.

Paul