Rainer Duffner via Unbound-users <[email protected]> wrote: > > I have a setup where unbound is behind BIND 9.11 (due to RPZ handling). > > In this setup, unbound cannot resolve one particular domain: nkb.ch due to > DNSSEC failure. > > However, BIND does correctly resolve the domain.
Well, dnsviz agrees with unbound that the zone's DS RRset doesn't match its DNSKEY RRset. https://dnsviz.net/d/nkb.ch/dnssec/ It looks like your BIND upstream is not configured to validate (i.e. its configuration lacks `dnssec-validate auto;`) because your logs say that the response to unbound's nkb.ch DS query did not have the "ad" (authenticated data) bit set. So I think both BIND and Unbound are correct, but their cnofigurations disagree about what is correct. Tony. -- f.anthony.n.finch <[email protected]> https://dotat.at/ Malin, South Hebrides: Southeasterly 3 to 5, becoming variable 2 to 4. Slight or moderate, occasionally rough at first in west. Rain. Good, occasionally moderate.
