Maintained by: NLnet Labs

[Unbound-users] Setting Unbound as validating resolver for stub zones

Sebastian Castro
Wed Feb 23 11:06:23 CET 2011


On 02/23/2011 08:02 PM, W.C.A. Wijngaards wrote:
> Hi Sebastian,

Hi Wouter,

Your indications helped and now works, thanks. Just a quick note below.

>> stub-zone:
>> 	name: "parent"
>> 	stub-addr: A.B.C.D at 53
>> 	stub-prime: no
> 
> Here needs to be another stub-zone: line to start another stub-zone.
> 

Shouldn't unbound check for the correct syntax of the configuration
file? In this case is correct, but ambiguous.

>> 	name: "child1.parent"
>> 	stub-addr: A.B.C.D at 53
>> 	stub-prime: no
> 
>> A.B.C.D is serving a signed zone for parent and child1.parent with valid
>> data (sig chasing with dig or drill works).
> 
>> If I try querying Unbound for <SOA, parent>, I get an answer but no AD bit.
> 
> You have to use +dnssec to get the AD bit on the reply.  If the
> signature failed you would not get a reply, so I think it validated.
> 

What a newbie! How I missed that... thanks!

> 
> Best regards,
>    Wouter

Cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535