Maintained by: NLnet Labs

[Unbound-users] Strange validation failures for some wildcard CNAMEs

Casey Deccio
Wed Sep 17 18:27:06 CEST 2014

On Wed, Sep 17, 2014 at 10:05 AM, Ondřej Caletka <ondrej at> wrote:

> I'm having an issue with validating particular domain names:
> $ dig tlsa
> $ dig tlsa
>  - validates with BIND, fails with Unbound 1.4.21
>  - unbound-host says that cname proof failed
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.
I don't immediately see anything wrong with the complete names above.  But
I can see that BIND and unbound both are failing validation for _  I am wondering if this is perhaps due to incorrect
handling of NSEC records associated with wildcards.

$ dig +dnssec +noall +authority | grep
NSEC | head -1 3600    IN NSEC    _jabber._ TXT RRSIG NSEC

The NSEC record returned doesn't prove that the name doesn't exist
(NXDOMAIN) because the name ( is in fact an ancestor of
the next field of the NSEC record (, as an
empty non-terminal.  But that proof is not required for wildcard, only for
NXDOMAIN status.

But that doesn't explain why unbound would be failing validation on _443._, unless it is performing validation of _ along the way.

Just a guess.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>