-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan-Piet, Andreas,
Tested here, the ANY query triggers a validation attempt of the NS record. The NS record is bogus. When it finds out the NS record is bogus, unbound refuses to talk to those nameservers. Therefore is unable to fetch further data (the SSHFP request) for the zone. Similar behaviour for the nameserver-glue A, AAAA: if they are bogus unbound refuses to talk to those nameservers. On 02/21/2011 12:36 PM, Andreas Schulze wrote: > Am 21.02.2011 08:44 schrieb Jan-Piet Mens: >> This is weird. > yes. > I'm surprised about three RRSIG for one RR: > > $ dig @a.six53.net. jpmens.org. ns +dnssec +short > a.six53.net. > b.six53.net. > c.six53.net. > d.six53.net. > NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. > APF6ZYf+cVySBHVBw+cA0rME4ZlG5r33bBZgtgcl/kEjDZCPqOYDIQj8 > b/Zi1lFqL2X2qwI3DKL0VrN2XjDJeESMBdbcaYGygqPxH59cFDS9AX4b > mHpJsjC5A5Nl6BA3xpe/Iw30UN7T0ohbEZlgfHTtm/VaMCDZvXyEFzwF JSo= > NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. > BaFpHw3hi4v64JDpUmm2/TVFUCz0jHHeBOtEc0JJQuo4uYJtOVp9W97e > KEVFzhnW1Y93utKXK9qkfZsBmPusHvuYLpQg+4065mOEoyEuaZ95247/ > KJArGuHDNwHu/Xc35qvbzcTrcwof6T9yey6SuS0BNh1vMdlcGGATuphW RLo= > NS 8 2 86400 20110303000000 20110217000000 50853 jpmens.org. > OUShqrUPiUsTVq4A/jkIaCzyXE+8EfSubpggZsQYJD8ih6Yag9W3PlGV > esNLi7XrQWxDbBghL/voFCDE0C2iHgt4K8Y0LXTpfr9lZ9n+soME+KsP > w3n0TwgRw4GbE0XxgaVrUF7FZauh3FSebgp782QP6cpLjnAFWkJ1cze/ /ss= > > may this be part of the problem ? > Seems to be so, Feb 21 12:47:32 unbound[22628:0] info: verify rrset <jpmens.org. NS IN> Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8 Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8 Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch Feb 21 12:47:32 unbound[22628:0] debug: verify sig 50853 8 Feb 21 12:47:32 unbound[22628:0] debug: verify: signature mismatch Feb 21 12:47:32 unbound[22628:0] debug: rrset failed to verify: no valid signatures for 1 algorithms Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1iUaIACgkQkDLqNwOhpPjs0wCgkEOGhZaQoUTlFmZwgOGicp78 CYIAmgJ9A+jEXyV+2p8qiqtXPao8Pinb =j2k4 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
