Maintained by: NLnet Labs

[Unbound-users] Help troubleshooting validation failures on domains.

Augie Schwer
Thu Mar 22 23:10:41 CET 2012

On Wed, Mar 21, 2012 at 7:53 PM, Olafur Gudmundsson <ogud at> wrote:
> The first thing that jumps out is the domain is using 2 different DNSKEY
> algorithms this increases possiblity of mistakes.
> ALG 7 is in the record in parent with corresponding DNSKEY record signing
> the DNSKEY, but the key for algorithm 7 that signs the A RRset is
> not in the DNSKEY RRset.

Indeed, what I didn't realize was that the site was working on old data, when I
re-ran the report it reported like you said that they had signed their
RRset with a new un-published key.

It appears they have fixed their zone now, thanks for your help in
making sense of what happened.

Augie Schwer    -    Augie at    -