So I am running unbound with the dnssec extensions: % stripcom /var/unbound/etc/unbound.conf server: verbosity: 1 module-config: "validator iterator" auto-trust-anchor-file: "/var/unbound/etc/root.key" val-log-level: 2
% nslookup www.dnssec-failed.org ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: x.y.z.a Address: x.y.z.a#53 Non-authoritative answer: Name: www.dnssec-failed.org Address: 69.252.208.135 Name: www.dnssec-failed.org Address: 69.252.216.215 Well that's nice: unbound prevented a reply but gethostbyname() simply switched to the next server in resolv.conf. So for example lynx also shows the given url/webpage. Yes, I can remove that secondary server from resolv.conf, that would be a work-around. What I was thinking is that it would be nice if unbound would send a signal like: DNSSEC-FAILED and that gethostbyname() would not try the next server. Would that make sense? Please CC me since I'm not subscribed to this list. # Han
