On Wed, Mar 02, 2016 at 16:58:38 +0000, Tony Finch wrote: > Olav Morken via Unbound-users <[email protected]> wrote: > > > > info: validate(cname): sec_status_secure > > info: validate(positive): sec_status_secure > > info: message is bogus, non secure rrset uninett.no. NS IN > > > > As far as I can tell, the problem here is caused by extra NS-records in > > the authority-section that do not include the RRSIG element for the > > NS-records, but I can't really say that for certain. > > This sounds a lot like a problem we discussed last year. See > https://unbound.net/pipermail/unbound-users/2015-February/003757.html
It look similar, in that it is caused by extra records, but as far as I know there shouldn't be any DLV involved here. The uninett.no-zone is properly delegated from the parent zone. I also tested with the most recent version from subversion trunk, which includes the fix mentioned in that thread, but got the same result. > Does Unbound use CD=1 when forwarding? If so, it should expect to receive > partially bogus answers and should handle them gracefully. I checked, and it does set the CD-flag. The full dig command line to simulate the queries that Unbound sends appear to be: dig -4 +qr +noadflag +recurse +cdflag +bufsize=4096 +dnssec pingapi.paas.uninett.no @dns-resolver1.uninett.no I.e. the packets have the RD, CD and DO flags set. I grabbed the output from dig yesterday evening. If anyone is curious, I uploaded it here: https://gist.github.com/olavmrk/c62f099736dbc5ef514a Best regards, Olav Morken UNINETT
