-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul,
On 04/12/2011 11:13 PM, Paul Wouters wrote: > > I put in an A record for "badsig.dane.xelerance.com." with the intension > putting > a bad "dane TLSA" record in there. So contrary to the name, the RRSIG > for "badsig" is > fine. > > But unbound (1.4.8) gives me : > > [paul@bofh pri]$ dig +dnssec a badsig.dane.xelerance.com. > ;; AUTHORITY SECTION: > xelerance.com. 1843 IN SOA ns1.xelerance.net. > hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600 > xelerance.com. 1843 IN RRSIG SOA 5 2 3600 20110505082418 > > So this tells me the record does not exist. But when I do an ANY query: > > [paul@bofh pri]$ dig +dnssec any badsig.dane.xelerance.com. > ;; ANSWER SECTION: > badsig.dane.xelerance.com. 3505 IN A 193.110.157.151 > badsig.dane.xelerance.com. 3505 IN RRSIG A 5 4 3600 > 20110505101649 20110412193207 52862 xelerance.com. > > I have a copy of the cache at the time, and an unbound-host output if > that would help > > After restarting unbound, the record worked as expected. You have a TTL issue. The 'wrong' response is 1800 seconds ago. The right response is 95 seconds ago. Restart cleared the cache, and your problem is gone. This is simply TTL happening. Unbound does not synthesize from the cache, so it will repeat the response from the authority server. So, it gets the new A record as part of the ANY query, but does not synthesize 'A' responses to clients with it, instead using the message that it got (1800 seconds) before. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2lRQ0ACgkQkDLqNwOhpPiEnACeP69YeDo2IdAeKr66L0kdt0c5 0KUAnAntMcLKJw3cUjPGWiphjBgv70A7 =d6GP -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
