[Unbound-users] SERVFAIL for an abbreviated TLD local zone
Robert Edmonds
edmonds at debian.org
Sun Dec 7 20:37:30 UTC 2014
martin f krafft wrote:
> Do you have any idea why unbound is failing on the abbreviated zone
> requests?
Your second Unbound instance is receiving answers that do not validate
from the first Unbound instance. (The root zone is signed and
authentically denies the existence of "gern".)
> I fI remove the auto-trust-anchor-file config directive, it works,
> so it seems this is DNSSEC-related (none of my zones are signed
> yet). Can someone enlighten me and help em understand what's going
> on?
DNSSEC protects against the kind of interloping you described.
Removing the auto-trust-anchor-file line disables validation.
> What's the best way to solve this?
You could sign your "gern" zone and configure a trust anchor for that
zone, or you could use the "domain-insecure" option in unbound.conf to
configure a "negative trust anchor".
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list