-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andreas,
On 11/03/2010 09:07 AM, [email protected] wrote: > It seems more that unbound and bind disagree in their opinion if the > signature is expired or not. As said the time unbound starts failing the > same queries done directly to the upstream resolve *and* validate fine. > So the options are: That is strange. Your clocks are synchronised, so that is not it. Could it have been the recent daylight-savings change somehow? Both bind and unbound may have some leeway for expired signatures that you can configure; val-sig-skew-max and val-sig-skew-min config options for unbound. > - Bind does not send the same data it is using for validation to the > downtsream (unbound) client. Would be a Bind bug i guess. Try doing a dig @<bind> name +dnssec and then with +dnssec +cdflag. If that is different, then this is happening. > - Unbound and Bind do validation different (should not happen IMHO) Yes. > - Validation in Unbound for some cases is broken. Would be a bug in > Unbound i guess. Well, when unbound refuses to validate it, enable val-log-level: 2, and take a look in the log file, it gives a detailed error. Then dig +dnssec and dig +dnssec +cdflag when it mentions (also to the unbound so see what is in the cache, and also at the IP address it mentions). If you enable val-log-level: 2 (and you can have verbosity low), it gives one line per validation failure. This is a (relatively) low amount of logging, but very useful, as it tells you why exactly unbound failed the query. > It would be nice to get help how to debug this as DNSSEC "by-hand" is > somewhat challenging. This is pretty easy, the RRSIG notes .... RRSIG bla bla expiration inception bla bla. They are in yyyymmddhhmmss format UTC. Most signers leave a couple weeks headroom in the expiration date. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzRIHYACgkQkDLqNwOhpPikxwCfZg1tMO8eQY4UJDv5ZquCd+sY MkEAnR58F9ps9gV6rUpCsh7w32iFhM0B =+/RQ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
