[Unbound-users] unbound insecure!

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed Oct 1 06:44:32 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shahab Yassemi wrote:
> Hi ,
> 
>     would you please help me and tell why is this unsecure? I used 4
> -d for debug and here is the result : ( I added the key to trust
> anchor in unbound.conf and dig returns servfail ) thanks a lot.

The reason that unbound-host returns insecure is because you did not
give unbound-host a trust anchor.

dig returns servfail?  That means the problem is not with unbound at
all, but with the authority server - it gives servfail for DNSKEY lookups.

> root at shahab-desktop:~# unbound-host -r -d -d -d -d com -v

Can you load the trust anchor into unbound-host:
unbound-host -r -d -d -d -d com -v -y "com. IN DNSKEY 257 3 5
AwEAAbf7W22wjbzQ25cp23q4Kp7QdEOUWiPm5kDVvE2kOUYCyFUI04oI
EA2zs1i0jHfaTDxkEOQa810eqgBJQAuCyv0="

And then try again? It should print out the packet it got back when
asking for the DNSKEY - just like the dig commandline.

Paul told you to nsdc rebuild and then nsdc reload. Did you do that?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjjHFAACgkQkDLqNwOhpPirzACfabgxhiVvlg9yeOoibWAbbLRh
ARwAoJhiAQCoVSP5GG0UO0aUQmp6sLIt
=DnRb
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list