Maintained by: NLnet Labs

[Unbound-users] DLV records for ORG have been inserted into

W.C.A. Wijngaards
Mon Jul 6 14:47:43 CEST 2009

Hash: SHA1

Hi Stephane,

On 07/06/2009 02:33 PM, Stephane Bortzmeyer wrote:
>> For those of you using DLV in your resolvers, ORG should have appeared a  
>> few minutes ago.
> It works with BIND+DLV :
> % dig +dnssec SOA 
> ...
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
> ...
> Not with Unbound+DLV:
> % dig +dnssec SOA
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9192
> (All the .ORG domains servfail.)
> Log attached.
> Restarting does not help.
> Unbound 1.3.0 pristine, Debian/Linux, no forwarder, has 4 servers. the is glue, and then it has
three other nameservers.  The server has expired DNSKEY
signatures.   The other nameservers work.

(Jelte says after a quick look: the zone was most probably updated, but
they *de*creased the serial number, causing the pickup to go wrong).

Unbound, because it gets the glue for free, tries to get the data from  This fails.  It becomes servfail.

Now, with default settings, unbound fetches address for the other
servers into the cache and every minute tries a random one.  So after
some time it can become valid if you keep trying.

Bind shows different behaviour - it tries all nameservers for the domain
until it gets valid DNSSEC from it.  That is why you see no complaints
from BIND.

Because of the design of unbound it would be relatively tricky to scan
all nameservers for valid signatures.

Best regards,
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -