[Unbound-users] Strange validation failures for some wildcard CNAMEs
Ondřej Caletka
ondrej at caletka.cz
Mon Sep 22 10:58:23 UTC 2014
Dne 17.9.2014 16:05, Ondřej Caletka napsal(a):
> Hi,
>
> I'm having an issue with validating particular domain names:
>
> $ dig _25._tcp.mail.relia-pc.cz tlsa
> $ dig _443._tcp.kinderporno.cz tlsa
> - validates with BIND, fails with Unbound 1.4.21
> - unbound-host says that cname proof failed
>
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.
>
Hello again,
I think I've found answer in DANE WG ML:
http://www.ietf.org/mail-archive/web/dane/current/msg06960.html
Looks like the issue is actually caused by bad wildcard DNSSEC
processing in djbdns.
Thanks for help.
--
Ondřej Caletka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140922/8bae1a20/attachment.bin>
More information about the Unbound-users
mailing list