-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Erinn,
On 03/20/2013 09:55 PM, Erinn Looney-Triggs wrote: > There is a bugzilla open about a similar > issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from > my reading it looks like it went off in another direction. > > The issue I am running into comes in when resolving > fedorapeople.org domains which are DLV signed. Specifically > fkooman.fedorapeople.org but any other *.fedorapeople.org domains > seem to fail, and only with unbound in my testing thus far. > Straight bind will return the result. > > When attempting to resolve I get this in the logs: > > unbound: [1005:1] info: validation failure > fkooman.fedorapeople.org. A IN Can you tell me why it failed? Set val-log-level: 2 or run unbound-host to do the lookup. When I perform this lookup, it works fine, and uses the isc.org DLV. This is with latest unbound version. Best regards, Wouter > Running directly against bind we get the result as expected: dig > fkooman.fedorapeople.org +dnssec > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> > fkooman.fedorapeople.org +dnssec ;; global options: +cmd ;; Got > answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;fkooman.fedorapeople.org. IN A > > ;; ANSWER SECTION: fkooman.fedorapeople.org. 56 IN A > 152.19.134.191 fkooman.fedorapeople.org. 56 IN RRSIG A 5 > 2 60 20130418182632 20130319182632 378 fedorapeople.org. > 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ > k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp > +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A= > > ;; AUTHORITY SECTION: *.fedorapeople.org. 56 IN NSEC > fedorapeople.org. A AAAA RRSIG NSEC *.fedorapeople.org. 56 > IN RRSIG NSEC 5 2 86400 20130418182632 20130319182632 378 > fedorapeople.org. > 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH > 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp > MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU= > > > You can get a nice break down of the signing here: > http://dnsviz.net/d/fkooman.fedorapeople.org/dnssec/ > > My guess is that it has to do with the *.fedorapeople.org record, > but I am no expert, or perhaps DLV plays into it? There aren't a > great deal of sites that I know of to compare this to. > > Can anyone else confirm or deny this issue with their unbound? > > Thanks, -Erinn > > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRStDtAAoJEJ9vHC1+BF+Nnn4QALA7YjZj8wbrjRUbGRhEUg01 ynuNKbKVuK13aLMUQ1mW3TA6aAbEMP0+utPma6ngdrnACAXfSMQUQrv0ABjx8hU2 w+azaGWWWICDLDKMhESFE/tQwYFdCOsdo/VnCFI9Vk9eTEV7i+iRpxUKppO9IDnq TBd2a2T0wFtGxUQUgVhU3L6t6ZffemytUv9zOZVklkWVccNaoLwcXIzWQRfvSB5G JzAa+Jh2Dpt3j9L1Om3eRAM3BmnAjZJpb/VfXuSUnMK+V7WpNq0qm/5So8kyIA5b //54n6FxNKpn/LAnObruFIwuqIXdyPJcEsPCpKu9CoS+QUd7AcV845UL0Mq4cYhn PBzCLODUtpqiId2gPEI9DNWTDy6qCsAkL+ZqSUfes7SgRdloOnLg7IHo/JDR/QDp rkSNOFB2/CpkJE29CxJrmBci/OhIqIuAa0afL4eSGcRDymQM2pyedk+G4kdcRMRg 8aj8hMkxS4GaSI/4KYuXz2AjiapTdYmyYMwND9XQBUZVpbdgh0MEnebtHDpqt5Sf eU+m0/XaTJNUhIQC8pWWV4cjp9SUsRaqXQgF2gZES9sXOUYgT12zT3kueC0ku01m IHGQdwM5LRkQV8gNtjwh0ltuBapsg1Y5PcYuTBvJpdOGHOpgHgatszgnCWidvHFk oIgXQx5+aMvMvUjSxhVe =EHHU -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
