Thanks for your response again. I'm not an expert in DNSSEC, so I can't answer you the first point. As for the second point, I attached my (pretty milktoast) unbound.conf, not much changes in there; hoping it could give a clue.
Edit: Resending the unbound.conf zipped since the unzipped version it got held up by mailman. Cheers, -- László Károlyi https://linkedin/com/in/karolyi On 06.07.20 23:05, Simon Kelley wrote: > OK, I can see the proximate cause of the problem, but I'm not sure > what's causing it and I'm not sure how behaviour needs to change. > > The proximate cause is that the upstream server (unbound, I think.) is > returning answers to queries for DNSKEY records with time-to-live as > zero. Time-to-live zero means "use this once, but don't cache it" so > dnsmasq doesn't cache it. But the DNSSEC validation process in dnsmasq > depends on data like DNSKEYs being cached: that's the path by which it > gets to the correct place for doing the validation. Hence the validation > failures. > > Two questions arise. > > 1) Is dnsmasq wrong to fail validation with DNSKEYS with TTL zero. I > think that answer to that is probably "yes", if only on grounds of "be > forgiving in what you accept". The fix is fairly simple. > > 2) Why is Unbound returning DNSKEY records with TTL zero, over and over > again? Is there something in your unbound config that causes that? > > > Cheers, > > Simon.
<<attachment: unbound.conf.zip>>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss