There is a bugzilla open about a similar issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my reading it looks like it went off in another direction.
The issue I am running into comes in when resolving fedorapeople.org domains which are DLV signed. Specifically fkooman.fedorapeople.org but any other *.fedorapeople.org domains seem to fail, and only with unbound in my testing thus far. Straight bind will return the result. When attempting to resolve I get this in the logs: unbound: [1005:1] info: validation failure fkooman.fedorapeople.org. A IN Running directly against bind we get the result as expected: dig fkooman.fedorapeople.org +dnssec ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> fkooman.fedorapeople.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fkooman.fedorapeople.org. IN A ;; ANSWER SECTION: fkooman.fedorapeople.org. 56 IN A 152.19.134.191 fkooman.fedorapeople.org. 56 IN RRSIG A 5 2 60 20130418182632 20130319182632 378 fedorapeople.org. 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A= ;; AUTHORITY SECTION: *.fedorapeople.org. 56 IN NSEC fedorapeople.org. A AAAA RRSIG NSEC *.fedorapeople.org. 56 IN RRSIG NSEC 5 2 86400 20130418182632 20130319182632 378 fedorapeople.org. 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU= You can get a nice break down of the signing here: http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/ My guess is that it has to do with the *.fedorapeople.org record, but I am no expert, or perhaps DLV plays into it? There aren't a great deal of sites that I know of to compare this to. Can anyone else confirm or deny this issue with their unbound? Thanks, -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
