Maintained by: NLnet Labs

[Unbound-users] Validation failure of DNSSEC signed domain names

W.C.A. Wijngaards
Wed May 26 13:59:18 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ondrej,

Just a minute before I was to post I had made fixes in svn trunk to
limit such problems due to config trouble, Zbynek said he optimised and
that setting also alleviated the problem.

So, bugfix in svn, workaround is to use the optimise HOWTO on
unbound.net.  Let me know if testing reveals more.

Best regards,
   Wouter

On 05/10/2010 03:48 PM, Ondřej Surý wrote:
> Wouter,
> 
> it is still worrying me that "optimizing" configuration could be used
> to circumvent SERVFAILs. It still seems to me that something deeper is
> still involved, because it causes only signed domains to fail.
> Unsigned domains and domains not in cache are still ok.
> 
> Could you please look at this bug further? Since we are able to
> repeatedly reproduce this bug, it should not be impossible to trace it
> further down.
> 
> Ondrej
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv9DRYACgkQkDLqNwOhpPhKlACePkYCKLwdwut7KKTUui52JljU
XhEAoIw/uGj2iBteeXTWMxxd7zjbPpZi
=+81s
-----END PGP SIGNATURE-----