[DNSSEC] BIND validates but not Unbound: who is right?
Mukund Sivaraman
muks at isc.org
Mon Feb 16 17:09:52 UTC 2015
Hi Stephane
On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote:
> DNSviz, like Unbound, says the domain is broken:
>
> http://dnsviz.net/d/cepn.asso.fr/VOGwhA/dnssec/
DNSviz complains about missing RRs, but shows "status:SECURE" in
epn.asso.fr. with green outlines for DNSKEY, SOA, MX unlike for a bad
zone where it would show "status:INSECURE".
DNSviz also has explanation for why the green shapes are secure.
There was a DS with algorithm=8 in the parent (fr.), but no
corresponding DNSKEYs in the child zone. But there is a valid
authentication chain through the algorithm=5 keys.
I skimmed through this and haven't looked at any fields of the RRs;
maybe there is a different reason from the above why Unbound doesn't
validate, or rather returns SERVFAIL.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150216/bde31a73/attachment.bin>
More information about the bind-users
mailing list