On Thu, 27 Oct 2011, Michael Tokarev wrote:
I debugged an issue for quite some time, when I wasn't
able to set up DNSSEC (island of security) with unbound
and NSD for any reverse (in-addr.arpa) zone, but it all
worked just fine for any forward zone.
unbound refused to validate any record from zones in
question, giving the following messages:
info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN
info: super is 168.192.in-addr.arpa. SOA IN
debug: attempt DS match algo 7 keytag 24900
debug: DS match digest ok, trying signature
debug: verify: signature mismatch
debug: rrset failed to verify: all signatures are bogus
debug: Failed to match any usable anchor to a DNSKEY.
info: validate keys with anchor(DS): sec_status_bogus
info: failed to prime trust anchor -- DNSKEY rrset is not secure
168.192.in-addr.arpa. DNSKEY IN
I asked in #unbound on freenode, but noticed that IN-ADDR.ARPA
in the $ORIGIN line is written in UPPER-case, while all the rest
uses lowercase.
So I tried lowercasing it, and voila, everything worked.
Do you run unbound with use-caps-for-id: yes ? Some name servers don't handle
that properly.
I'm using command-line ldns tools to perform the signing, --
ldns-keygen, ldns-signzone etc.
There is an ldns mailing list at [email protected]
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
