Maintained by: NLnet Labs

[Unbound-users] SERVFAIL for an abbreviated TLD local zone

Robert Edmonds
Sun Dec 7 21:37:30 CET 2014


martin f krafft wrote:
> Do you have any idea why unbound is failing on the abbreviated zone
> requests?

Your second Unbound instance is receiving answers that do not validate
from the first Unbound instance.  (The root zone is signed and
authentically denies the existence of "gern".)

> I fI remove the auto-trust-anchor-file config directive, it works,
> so it seems this is DNSSEC-related (none of my zones are signed
> yet). Can someone enlighten me and help em understand what's going
> on?

DNSSEC protects against the kind of interloping you described.
Removing the auto-trust-anchor-file line disables validation.

> What's the best way to solve this?

You could sign your "gern" zone and configure a trust anchor for that
zone, or you could use the "domain-insecure" option in unbound.conf to
configure a "negative trust anchor".

-- 
Robert Edmonds
edmonds at debian.org