On Sun, 20 Feb 2011, Jan-Piet Mens wrote:
The following queries, and their reply codes: (the order of queries
appears to be irrelevant)
dig @127.0.0.1 +dnssec test.jpmens.org -> ANSWER
dig @127.0.0.1 +dnssec test.jpmens.org ANY -> ANSWER
dig @127.0.0.1 +dnssec test.jpmens.org SSHFP -> SERVFAIL
dig @127.0.0.1 +dnssec test.jpmens.org SSHFP -> ANSWER
That worked for me on the first attempt.
;; ANSWER SECTION:
test.jpmens.org. 120 IN SSHFP 2 1
C74B4801FD01A68834FF45BACFA114FC3B0C47AA
test.jpmens.org. 120 IN RRSIG SSHFP 8 3 120 20110303000000
20110217000000 50853 jpmens.org.
TBq2RoNNMkRv5bnesvjUIsIVVi/Yv0WAiB5527r2v8G5kGpJcUks/Y54
S3ZMc+Ys35EKE+5aQQ7wplioA3Mv59XZu0jeYecQI+Z4sWT4CJyIag9j
vs97WjGfBshG8GvUqMjRpPwfa0ITGvHcCnVwpDudH2G2hsJz6cOecqqZ kbw=
dig @127.0.0.1 +dnssec test.jpmens.org A -> SERVFAIL
dig @127.0.0.1 +dnssec test.jpmens.org SOA -> SERVFAIL
Those don't exist? And neither does any NS records?
I've had to disable `harden-referral-path' because the NS RRset for
jpmens.org isn't yet signed.
That should not matter. Hardening just queries multiple name servers for
the same data to make spoofing harder. It does not mandate dnssec.
I think your problem is with your zone?
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
