Maintained by: NLnet Labs

[Unbound-users] Possible unbound bug with wild card results

Erinn Looney-Triggs
Wed Mar 20 21:55:27 CET 2013

There is a bugzilla open about a similar
issue: , but from my
reading it looks like it went off in another direction.

The issue I am running into comes in when resolving
domains which are DLV signed. Specifically but
any other * domains seem to fail, and only with unbound
in my testing thus far. Straight bind will return the result.

When attempting to resolve I get this in the logs:

unbound: [1005:1] info: validation failure A IN

Running directly against bind we get the result as expected:
dig +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57589
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;      IN      A

;; ANSWER SECTION: 56    IN      A 56    IN      RRSIG   A 5 2 60 20130418182632
20130319182632 378
+ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A=

*     56      IN      NSEC A AAAA
*     56      IN      RRSIG   NSEC 5 2 86400
20130418182632 20130319182632 378
MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU=

You can get a nice break down of the signing here:

My guess is that it has to do with the * record, but I
am no expert, or perhaps DLV plays into it? There aren't a great deal of
sites that I know of to compare this to.

Can anyone else confirm or deny this issue with their unbound?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <>