Maintained by: NLnet Labs

[Unbound-users] unbound failed when validating

Cathy Zhang
Tue Jul 12 03:59:46 CEST 2011


unbound responds with status SERVFAIL for request 'dig
foo.dname2.example. any +dnssec'. I think it means unbound failed to
validate the data and i found such statements in log:
12-Jul-2011 09:32:51.666 info: no signer, using <foo.dname2.example.
TYPE0 CLASS0>
would it be 'example' the signer instead of 'foo.dname2.example'?

here is the response for request with cd bit set
$ dig foo.dname2.example. any @10.53.0.8 +cdflag

; <<>> DiG 9.7.3 <<>> foo.dname2.example. any @10.53.0.8 +cdflag
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40226
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;foo.dname2.example.            IN      ANY

;; ANSWER SECTION:
dname2.example.         300     IN      DNAME   dname2-target.example.
dname2.example.         300     IN      RRSIG   DNAME 3 2 300
20110811002909 20110712002909 41604 example.
BKfBYKdcGieT+EEIGl2vilfsl7egcmfvQsLgAwEhp1vQPJTxkNNJ6BM=
foo.dname2.example.     0       IN      CNAME   foo.dname2-target.example.
foo.dname2-target.example. 300  IN      TXT     "testing dname"
foo.dname2-target.example. 300  IN      RRSIG   TXT 3 3 300
20110811002909 20110712002909 41604 example.
BAXpPonMvpx/Dyw/z0UP9DwYiLWlrffj9zJF7V7kfxpLF7X/mTftZWE=
foo.dname2-target.example. 3600 IN      NSEC    dynamic.example. TXT RRSIG NSEC
foo.dname2-target.example. 3600 IN      RRSIG   NSEC 3 3 3600
20110811002909 20110712002909 41604 example.
BFyRlAUY3vBL2E7JEyezzaxjgBoycn0M5ZXJ8vRxa7suQi7cnoo6Z1s=

;; AUTHORITY SECTION:
example.                300     IN      NS      ns2.example.
example.                300     IN      NS      ns3.example.

;; ADDITIONAL SECTION:
ns2.example.            300     IN      A       10.53.0.2
ns3.example.            300     IN      A       10.53.0.3

;; Query time: 92 msec
;; SERVER: 10.53.0.8#53(10.53.0.8)
;; WHEN: Tue Jul 12 09:38:11 2011
;; MSG SIZE  rcvd: 474