Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 15:48:06 CEST 2011

Jan-Piet Mens wrote:

----- Original message -----
> > I was just curious why mail to that domain still got delivered, even
> > though the BIND resolver logged lots of validation failures.
> Maybe from MXs that are using non-validating resolvers?

I'm the sender, not the receiver.

The mailserver uses two resolvers, BIND and Unbound. BIND returned SERVFAIL while Unbound still served a "validated" answer. Both should have cached the answer earlier, as there's a constant flow of mail towards from here. I don't know if it had already expired from BIND's cache, though.