Maintained by: NLnet Labs

[Unbound-users] testing validation failure

Taylor R Campbell
Wed Mar 17 21:18:57 CET 2010

   Date: Wed, 17 Mar 2010 20:08:50 +0100
   From: "W.C.A. Wijngaards" <wouter at>

   The issue is simply that does not have a secure
   delegation from .org, the DS is not returned by the .org servers:
   dig +dnssec

Thanks.  I see that this is spelled out precisely in RFC 4033 in the
definitions of `insecure' and `bogus'.  If I put's
DNSKEY among Unbound's trust anchors, I get SERVFAIL as expected.

   I would advise you to install a cron job to pull the and
   update it.  A script that does so and checks the PGP signature is in the
   unbound source tarball contrib/ :-)

Yep, I planned to do that once I got Unbound behaving as I expect.

   This makes sure that you have the latest trust anchors, otherwise they
   go stale and things stop working next year.

Next year?  Isn't the root zone supposed to be signed in July, at
which point the IANA ITAR will turn into a pumpkin?