Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 15:04:15 CEST 2011


On 30.03.2011 14:54, Andreas Schulze wrote:

>> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
>> flag in responses.
> not here: (unbound-1.4.9)
>
> # unbound-host -C /etc/unbound/unbound.conf -v mixmaster.mixmin.net.
> mixmaster.mixmin.net. mail is handled by 10 snorky.mixmin.net. (insecure)

You're right. mixmin.net isn't chained from .net anymore (it used to
be). It's still listed in dlv.isc.org, that's where my resolver got the
trust chain from. I notified the domain owner. He'll fix it soon.

I was just curious why mail to that domain still got delivered, even
though the BIND resolver logged lots of validation failures.


Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110330/b6eb4b09/attachment.pgp>