martin f krafft wrote: > Do you have any idea why unbound is failing on the abbreviated zone > requests?
Your second Unbound instance is receiving answers that do not validate from the first Unbound instance. (The root zone is signed and authentically denies the existence of "gern".) > I fI remove the auto-trust-anchor-file config directive, it works, > so it seems this is DNSSEC-related (none of my zones are signed > yet). Can someone enlighten me and help em understand what's going > on? DNSSEC protects against the kind of interloping you described. Removing the auto-trust-anchor-file line disables validation. > What's the best way to solve this? You could sign your "gern" zone and configure a trust anchor for that zone, or you could use the "domain-insecure" option in unbound.conf to configure a "negative trust anchor". -- Robert Edmonds [email protected] _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
