Maintained by: NLnet Labs

[Unbound-users] Unbound stop working without error-log

lst_hoe02 at kwsoft.de
Wed Nov 3 09:07:29 CET 2010


Zitat von "W.C.A. Wijngaards" <wouter at NLnetLabs.nl>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Update for the disaster-tourists on the list - unbound logs with
> val-log-level: 2 that the upstream bind sends expired signatures -
> sleuthing continues ...

It seems more that unbound and bind disagree in their opinion if the  
signature is expired or not. As said the time unbound starts failing  
the same queries done directly to the upstream resolve *and* validate  
fine. So the options are:

- Bind does not send the same data it is using for validation to the  
downtsream (unbound) client. Would be a Bind bug i guess.
- Unbound and Bind do validation different (should not happen IMHO)
- Validation in Unbound for some cases is broken. Would be a bug in  
Unbound i guess.

It would be nice to get help how to debug this as DNSSEC "by-hand" is  
somewhat challenging.

Regards

Andreas