Hi, following up to my own question with a little more information:
> However, for whatever reason, lookups in what can be called the > "local domain" fails with SERVFAIL. Cranking up the logging of > unbound, I find in the log > > info: Could not establish a chain of trust to keys for example.no. DNSKEY IN > > (actual name withheld). I've run "dig" towards both of the > forward-addr listed name servers, and they both return a "nodata" > response when queried for the DNSKEY or the DS record for the > "example.no" domain (as they should). So why does unbound think > it has a DNSKEY to validate against?!? Actually, when I do dig @<local-upstream-resolver> example.no. ds what I get back is a "nodata" response, but the authority section contains the example.no SOA record (and the AA flag is set), and not the .NO SOA, as it should if the upstream name servers knew the special rule for placement of authority for the DS record (which rests with the parents), which the upstream name servers apparently don't. And of course, since the upstreams don't do DNSSEC validation, no DNSSEC proof of the non-existence of the DS record is provided. The .NO domain is signed, so unbound is probably unable to verify that there is no DS record for the example.no zone... ...in which case the error message logged could be a little bit clearer... Regards, - HÃ¥vard
