Maintained by: NLnet Labs

[Unbound-users] Strange validation failures for some wildcard CNAMEs

Ondřej Caletka
Mon Sep 22 12:58:23 CEST 2014

Dne 17.9.2014 16:05, Ondřej Caletka napsal(a):
> Hi,
> I'm having an issue with validating particular domain names:
> $ dig tlsa
> $ dig tlsa
>  - validates with BIND, fails with Unbound 1.4.21
>  - unbound-host says that cname proof failed
> I'm suspecting that there is something wrong on the authoritative side
> since both domains are hosted on the same set of servers. But I'm not
> able to figure out, what exactly is wrong and how the answers should
> look like to be validated successfully by Unbound.

Hello again,

I think I've found answer in DANE WG ML:

Looks like the issue is actually caused by bad wildcard DNSSEC
processing in djbdns.

Thanks for help.

Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <>