-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, On 07/06/2009 02:33 PM, Stephane Bortzmeyer wrote: >> For those of you using DLV in your resolvers, ORG should have appeared a >> few minutes ago. > > It works with BIND+DLV : > > % dig +dnssec SOA bondis.org > ... > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 > ... > > Not with Unbound+DLV: > > % dig +dnssec SOA automagic.org > ... > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9192 > > (All the .ORG domains servfail.) > > Log attached. > > Restarting does not help. > > Unbound 1.3.0 pristine, Debian/Linux, no forwarder, dlv.isc.org Automagic.org has 4 servers. the ns-ext.isc.org is glue, and then it has three other nameservers. The isc.org server has expired DNSKEY signatures. The other nameservers work. (Jelte says after a quick look: the zone was most probably updated, but they *de*creased the serial number, causing the pickup to go wrong). Unbound, because it gets the glue for free, tries to get the data from isc.org. This fails. It becomes servfail. Now, with default settings, unbound fetches address for the other servers into the cache and every minute tries a random one. So after some time it can become valid if you keep trying. Bind shows different behaviour - it tries all nameservers for the domain until it gets valid DNSSEC from it. That is why you see no complaints from BIND. Because of the design of unbound it would be relatively tricky to scan all nameservers for valid signatures. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkpR8m4ACgkQkDLqNwOhpPgX+gCgqOb90jIB+endXnxhRGHrx6xq pFsAn0weAULeXOIcStmCFmDI8mhXCCO6 =8kbh -----END PGP SIGNATURE-----