Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

W.C.A. Wijngaards
Mon Jan 10 14:40:11 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 01/10/2011 02:26 PM, Paul Wouters wrote:
> There was nothing that servfailed, that was the point.

Yes, of course.

> Yes, I digged specifically for xelerance.org

It looks like unbound acted as if it was not configured with a trust
anchor, it did not try to prime its trust anchor, for example.

If you start unbound with verbosity 4 (-vvvv) it prints the trust
anchors and root hints as it is starting.

You can also examine what unbound thinks is configured with
unbound-checkconf -o auto-trust-anchor-file
and unbound-control get_option auto-trust-anchor-file

(or, dlv-anchor-file, or trust-anchor-file, or trust-anchor).

> no. It was Fedora Linux, resolv.conf not used at all

ok

> I might have made some unbound-control command errors. I don't remember.

Yeah, maybe it you killed it before the TLS init succeeded.

> It just had the root key.

Weird, it does not act like it has one.  I do see it go into the
validator, but then does not act like there is a root key.  Or as if you
had domain-insecure: xelerance.org configured.

> Yes, I had some syntax errors before i finally had the syntax right :)

Sorry about that :-)

> I grepped for "unbound". I'll check the logs and see if some lines do not
> contain that string.

unlikely to be there, it logs with 'unbound:' all the time.  But thanks
for looking.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0rDDsACgkQkDLqNwOhpPj26ACfdcRUK3YgINIt8QPj4yM7YWce
8hgAnjamjvoBrjQtW8gNQFZOlTViWvwU
=PGQO
-----END PGP SIGNATURE-----