On 2012/09/05 00:19, Han Boetes wrote: > So I am running unbound with the dnssec extensions: > > % stripcom /var/unbound/etc/unbound.conf > server: > verbosity: 1 > module-config: "validator iterator" > auto-trust-anchor-file: "/var/unbound/etc/root.key" > val-log-level: 2 > > > % nslookup www.dnssec-failed.org > ;; Got SERVFAIL reply from 127.0.0.1, trying next server > Server: x.y.z.a > Address: x.y.z.a#53 > > Non-authoritative answer: > Name: www.dnssec-failed.org > Address: 69.252.208.135 > Name: www.dnssec-failed.org > Address: 69.252.216.215 > > > Well that's nice: unbound prevented a reply but gethostbyname() > simply switched to the next server in resolv.conf. So for example > lynx also shows the given url/webpage. > > Yes, I can remove that secondary server from resolv.conf, that > would be a work-around. > > What I was thinking is that it would be nice if unbound would send > a signal like: DNSSEC-FAILED and that gethostbyname() would not > try the next server. Would that make sense?
RFC4035 5.5 doesn't permit anything other than ServFail (rcode 2) here. > Please CC me since I'm not subscribed to this list. I've CC'd you anyway, but why set Mail-Followup-To if you want direct replies?
