Am 10.10.2011 19:22 schrieb James Cloos: > Oct 10 23:20:31 [unbound] [1461:0] info: reply from <faa.gov.> > 155.178.206.21#53 > Oct 10 23:20:31 [unbound] [1461:0] info: query response was ANSWER > Oct 10 23:20:31 [unbound] [1461:0] info: Did not match a DS to a DNSKEY, thus > bogus. > Oct 10 23:20:31 [unbound] [1461:0] info: Could not establish a chain of trust > to keys for faa.gov. DNSKEY IN > Oct 10 23:20:31 [unbound] [1461:0] info: validation failure www.faa.gov. A IN
Hello, I like to ask how to handle such problems on a productive resolver. If a domain is unresolvable, common reasons are - the remote site does not handle capitalisation correct. - dnssec is broken - a bug in unbound the first can only be fixed by the remote site. If they dont, the domain stays unresolvabel. Usually my user complain "at home it works!" Of cource: at home the do not use unbound ... the second case could be an mtu problem at the local site or misconfigured dnssec at the remote site. A bug must be found and fixed. After that a new version mus be tested at the local site and productive systems must be updated. That may took days or weeks. The enduser cannot access the domain. I suggest a lookuptable inside unbound to disable some functions makeing a domain unresolvable. Lookup key coud be a domain or a server. Lookup result could be a list of disables functions: - do not use capitalisation - do not use edns - do not use tcp - thread domain like unsigned The last one is implemented with the "domain-insecure" statement. But for all other problems I have no solution today. -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
