[Unbound-users] SERVFAIL for an abbreviated TLD local zone

Jeroen Massar jeroen at massar.ch
Mon Dec 8 07:32:12 UTC 2014


On 2014-12-08 08:07, martin f krafft wrote:
> also sprach Jeroen Massar <jeroen at massar.ch> [2014-12-08 07:41 +0100]:
>> As the root does not know your custom zone, that custom zone is
>> not properly signed and voila ;)
> 
> Ah, of course (Thanks also to Robert!)
> 
> I think the real solution is to sign the zone. DNSSEC is on my to-do
> list anyway — for years ;)

You are missing one item: even if you sign the zone, the root does not
delegate-signed towards your zone.

Hence, even if your zone is signed, those signature won't be trusted and
thus the zone won't work anyway.

The reason why your zone currently does not work is because there is no
signed delegation towards that zone; hence the zone, in signed fashion,
does not exist.

As per other mail:
8<-----------------------
domain-insecure: gern
----------------------->8

Should solve that.

Greets,
 Jeroen




More information about the Unbound-users mailing list