Maintained by: NLnet Labs

[Unbound-users] DLV anchor and unsigned domains

W.C.A. Wijngaards
Fri Mar 28 11:01:10 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alan,

You log stops just when it gets interesting - what it does with the
NSEC3 response to a DLV lookup for your DLV repository.  But anyway, I
can see why it fails.  Unbound only supports DLV with NSEC, so that it
can do aggressive negative caching with that.  It has not implemented
the mandatory aggressive negative DLV caching for NSEC3.  You should
change your private dlv repository and sign it with NSEC.

Best regards,
   Wouter


On 03/28/2014 10:53 AM, Alan Jurcic wrote:
> On 27.03.14 at 16:40, W.C.A. Wijngaards wrote:
>> 
>> Can you provide details logs about what happens when you query 
>> carnet.hr and get SERVFAIL?  Like, with verbosity 4,
>> val-log-level: 2. That should also printout a reason for the
>> servfail in the logs.  If it works for bind, then the bug must be
>> in unbound.
>> 
> 
> Wouter,
> 
> Complete log for the unsigned domain query can be found here:
> http://pastebin.com/CBSM4pEz
> 
> It looks like unbound behaves differently for DLV trust anchor. It
> expects DNSSEC and when it receives NXDOMAIN for DLV query the
> result is an error and SERVFAIL to the user.
> 
> Cheers,
> 
> Alan
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTNUhmAAoJEJ9vHC1+BF+NSVsP/3dPqH/SKsw5npgmaTj8IcYZ
tbrU7Y7YR/5yWF2jIF4ZPthutlmyUksVEm213b2KPXt95myLhtoO1oGyOGnDTgaY
lyMLtpvrwj6fyO7huTArUoqRjGRbQgEDFue9TQT12HjcS2FKOgKU7WUH5btO+bOx
jMYaRyvi5+MVVJbOiUIH2tEO7VwZvhodOhX6lCJ+b+zm6qUXhNnew/WnmklhtptT
XjPFajCRMzxpbmuU/tAFSemHwxidBMSY9pq7SBry2MUhhZMoCOsB0BPY6rKVc3tA
+u6IwQjy/GatUcFb7RMAnsUY1OBGvRU/ZuftyCvitAQPVFf3GlLMuWKw826xLsET
hf0X7K9Zw0dpieeVMuljIYCJ5vB4he6kohWCAK8L9hqedkzVzQtvINI49XBPWGJ7
CaaycnIXiDy1bUrn7u5Qihmyd30IMToVzUelKLipd/wqZ3PO7AprNnR46D3TeWQr
3pHk9GRMwWdwQ10pnPQ73bchm+PpEjAhopk/8Vpweg4KpBDLV5esD67BS2r8TasD
M8tq7DoJ95gLivyQ6wJitbNBuzH6eSEbFLirtrr8kcu34AmOQG1vur6fUsfObPmO
3dY6l1ITbvieslUEGYapOUS5NwUnwF7997Fz1f9nw6YGf7g9VP+/nLfHZ9cBxQ6V
592qoac4Nb1UZ6eYcxpL
=/ZLF
-----END PGP SIGNATURE-----