> It looks like the bug in BIND is due to a combination of an unsigned NS > RRset that came from a referral, and validation turned off. I can't > reproduce the bug with my validating resolvers with a normal query but it > does occur if I set the CD bit.
I don't have access to the BIND server, so I don't know how exactly the server is configured and which patches are applied. I know just what version.bind TXT/CH reports. The server performs validation, but DLV seems to be disabled. I get SERVFAIL for incorrectly signed domains. But AD flag is cleared for fedorapeople.org. I have also noticed something else: If I explicitly ask BIND for the NS records with +dnssec, the server starts putting the missing NS RRSIG into the subsequent queries for jvcelak.fedorapeople.org. So if NS RRSIG is in BINDs cache, then validation via Unbound works. > Are you going to send this in to [email protected] or would you like me > to do it? I can provide only partial information about the BIND. So if you managed to reproduce the problem, I would appreciate, if you could send the report. Feel free to CC me. As for Unbound, I believe that evaluating the resolution as bogus is too strict. Thanks for helping me to find the problem, everyone. Best regards. Jan _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
