I debugged an issue for quite some time, when I wasn't able to set up DNSSEC (island of security) with unbound and NSD for any reverse (in-addr.arpa) zone, but it all worked just fine for any forward zone.
unbound refused to validate any record from zones in question, giving the following messages: info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN info: super is 168.192.in-addr.arpa. SOA IN debug: attempt DS match algo 7 keytag 24900 debug: DS match digest ok, trying signature debug: verify: signature mismatch debug: rrset failed to verify: all signatures are bogus debug: Failed to match any usable anchor to a DNSKEY. info: validate keys with anchor(DS): sec_status_bogus info: failed to prime trust anchor -- DNSKEY rrset is not secure 168.192.in-addr.arpa. DNSKEY IN I asked in #unbound on freenode, but noticed that IN-ADDR.ARPA in the $ORIGIN line is written in UPPER-case, while all the rest uses lowercase. So I tried lowercasing it, and voila, everything worked. I'm using command-line ldns tools to perform the signing, -- ldns-keygen, ldns-signzone etc. So if any of you happen to do the same (sort-of-insane) thing, please use lowercase chars in zone origins, or else the resulting signed zone will not validate. Using unbound-1.4.12, nsd 3.2.5, and ldnsutils 1.6.10. Posted to both unbound and nsd since I'm subscribed to both and don't know if there's special ldns mailinglist for this, and since the problem will be seen as failure to verify zone, so will appear like unbound-related. Thanks, /mjt _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
