Am 28.04.19 um 14:07 schrieb Stefan Kublinski via Unbound-users: > Hello, > > I have an issue with unbound 1.9.1. > > I am trying to get tlsa records from domain _25._tcp.do.havedane.net > but this fails with unbound. DNNSEC validation tools report no issues > with that domain though. > > query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec > which yields NXDOMAIN and no tlsa records, but with Google Public DNS > $ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec > I do get tlsa records with ad flag Google DNS don't use qname minimization. the nameserver for havedane.net return NXDOMAIN when I ask for _tcp.do.havedane.net. Then there can't be a _25._tcp.do.havedane.net. Only if you disable qname minimisation unbound will ask havedane.net's nameserver for "_25._tcp.do" (dotted hostname) and get an answer. the nameserver for havedane.net should get fixed: http://dnsviz.net/d/_25._tcp.do.havedane.net/dnssec/ Andreas
Re: do.havedane.net nsec3 issue (sec_status_insecure) unbound 1.9.1
A. Schulze via Unbound-users Sun, 28 Apr 2019 06:38:55 -0700
- do.havedane.net nsec3 issue (sec_status... Stefan Kublinski via Unbound-users
- Re: do.havedane.net nsec3 issue (s... A. Schulze via Unbound-users
- Re: do.havedane.net nsec3 issu... Stefan Kublinski via Unbound-users
- Re: do.havedane.net nsec3 ... Stefan Kublinski via Unbound-users
- Re: do.havedane.net nsec3 issue (s... A. Schulze via Unbound-users
