-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Alan,
Can you provide details logs about what happens when you query carnet.hr and get SERVFAIL? Like, with verbosity 4, val-log-level: 2. That should also printout a reason for the servfail in the logs. If it works for bind, then the bug must be in unbound. Best regards, Wouter On 03/27/2014 03:51 PM, Alan Jurcic wrote: > On 27.03.14 at 15:14, W.C.A. Wijngaards wrote: >> >> If your DLV provider does not answer, the security status of >> every domain not in cache cannot be determined. It must >> therefore be withheld from the poor user. Did you configure a >> non-working dlv domain? >> > > Hi Wouter, > > DLV validation is working for the domain with the DLV record in my > DLV zone, but everything unsigned is automatically bogus. I have > the same DLV configured in bind resolver and it works fine there: > root anchor is checked first, then DLV and if neither contains > DS/DLV for the domain then the domain is unsigned and answer is > returned to the client. > > > Querying signed domain with DLV anchor: > > $ dig sec.tst.hr @193.198.241.11 # bind resolver ;; Got answer: ;; > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2537 ;; flags: qr > rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > $ dig sec.tst.hr @193.198.241.48 # unbound resolver ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38124 ;; flags: > qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > > Querying signed domain with root anchor: > > $ dig nlnetlabs.nl @193.198.241.11 # bind resolver ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43298 ;; flags: > qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 > > $ dig nlnetlabs.nl @193.198.241.48 # unbound resolver ;; Got > answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30066 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, > ADDITIONAL: 4 > > > The issue comes up when I query unsigned domain: > > $ dig carnet.hr @193.198.241.11 # bind resolver ;; Got answer: ;; > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26035 ;; flags: qr > rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 > > $ dig carnet.hr @193.198.241.48 # unbound resolver ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36322 ;; > flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > Hope that helps :) > > Alan > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTNEZUAAoJEJ9vHC1+BF+N7WUP/2OvOmJmXMr1Lh053lGxJ6e1 8eo8przqP+sTVHykS+Opl9eifQMwjjy6W7Yuk+NrvosmRC9vJTrdhLG5ftcSoYdf P962YPpXDs7m+zRWk6W3sBcMIfI8h9tmBO+dMMOo/DkH8OKQwokA6nZ5ZDe+WfmO gJm5JpGaWdOv1EbLG7/EXOJ0Lpk5i7okUrKsnVDzPyGprHydAMJMpE0Z365HmeTT 586qt5U5hOO85xJSLO4NprGfi7MPEgNuFmrGY2gT4hQp6Z47U3UYqBiDUyZ/TKm9 msm8d3i+0I1BbXhHnAwudpgDlb3xJ9hcTFRyX3RY9l7Ojo6AzGg7PNuZ9c6YWbEO f2jc5OX6gnwDYXH78P56bPaXZ0jOBUAX9TVCTrShnm2cCXemqDLVHH1tJPX562x7 WfDH9bV8gqYZpGNkdb7Bt40JU7PPMfUyJGZs+UntTYzpm+bwf5AIsxurOHdgl/ea 6KxYzF1DOXQSHf1GIRDZ53KS3MkDvlumfl84666rLEFjbJCDA4POJKSHS/f40oPJ L27GbmjK7a6dh81poi+6JrfSR+tW5O9tpb+CGFQvLJbBwMVqQy2denyIh4OMiZcZ xCGfgP0jRaWXmLv1cO+E7C1U3IJScLII0TkKq+uzk9XEFuu5/muSOGA3dg16yjnE nOE2Ck37ebIWckkNKKfX =k2PB -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
