Maintained by: NLnet Labs

[polri.go.id DNS issues, glueless delegation, confusing NSEC???]

Viktor Dukhovni
Fri Mar 3 22:33:34 CET 2017


On Thu, Mar 02, 2017 at 01:35:41PM +0100, W.C.A. Wijngaards wrote:

> What is happening is that the domain has both a signed parent and
> unsigned child-zones co-hosted.

Correct, and also missing glue records for the delegation from one
to other, and the child zones happen to be the nameservers for both.

> This confuses unbound's
> dnssec-missing-response failover that starts to look for alternatives.
> This takes a long time because of the timeouts because of the
> non-responding servers.  After a while it gets that no better
> alternative exists, uses the unsigned response and this is correctly
> insecure for DNSSEC.  But these timeout could cause issues, I guess.

What I see (from time to time) seems more than just transient
timeouts.  Anyway the domain has multiple configuration issues
that its owners should resolve.

If this brings to light something worth improving in unbound that'd
be cool too, but so far so I've not identified any specific unbound
problem.

-- 
	Viktor.