I am getting an NXDOMAIN from unbound 1.4.8 on compro.net.
39.580: compro.net INFO Begin testing DNSSEC for compro.net. 39.861: compro.net INFO Found DS record for compro.net at parent. 44.869: compro.net NOTICE DNS lookup error (connection failed). 45.358: compro.net INFO Servers for compro.net have consistent extra processing status. 45.358: compro.net INFO Did not find DNSKEY record for compro.net at child. 45.358: compro.net ERROR Inconsistent security for compro.net - DS found at parent, but no DNSKEY found at child. 45.358: compro.net INFO Done testing DNSSEC for compro.net. 45.358: compro.net INFO Test completed for zone compro.net. bind 9.8.0 is giving a ServFail as I expected. The DS record looks like: compro.net. 86332 IN DS 2211 3 1 1234567890123456789012345678901234567890 I could not get the DS from unbound either...... Note the hash is obviously fake. unbound-host takes over 30secs to respond, as does unbound as deamon: -bash-3.2# unbound-host -v compro.net. -C /etc/unbound/unbound.conf Mar 08 18:07:08 libunbound[31511:0] notice: init module 0: validator Mar 08 18:07:08 libunbound[31511:0] notice: init module 1: iterator compro.net. has address 173.201.14.242 (BOGUS (security failure)) validation failure <compro.net. A IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust compro.net. has no IPv6 address (BOGUS (security failure)) validation failure <compro.net. AAAA IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust compro.net. mail is handled by 10 mx2.compro.net. (BOGUS (security failure)) validation failure <compro.net. MX IN>: key for validation compro.net. is marked as invalid because of a previous validation failure <compro.net. NS IN>: No DNSKEY record from 208.109.255.1 for key compro.net. while building chain of trust After a little while, or due to me querying and caching something, unbound started giving me servfails. Though when querying with the +cd I still got no data: [paul@bofh ~]$ dig +dnssec +cd compro.net @193.110.157.136 ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec +cd compro.net @193.110.157.136 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60322 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;compro.net. IN A ;; Query time: 109 msec ;; SERVER: 193.110.157.136#53(193.110.157.136) ;; WHEN: Tue Mar 8 18:12:13 2011 ;; MSG SIZE rcvd: 39 Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
