Maintained by: NLnet Labs

Validation failure signature crypto failed

Jac Backus
Wed Jan 25 21:57:09 CET 2017

Thanks, Casey, for the explanation.

I wondered if it was, because the zone was only signed partially. So it shows only the A record, because that is all that is signed. And the TXT record is not signed. 
But I suppose that may not even be possible.


-----Oorspronkelijk bericht-----
Van: Casey Deccio [mailto:casey at] 
Verzonden: woensdag 25 januari 2017 20:19
Aan: Jac Backus
CC: A. Schulze; unbound-users at
Onderwerp: Re: Validation failure signature crypto failed

> On Jan 25, 2017, at 3:35 AM, Jac Backus via Unbound-users <unbound-users at> wrote:
> Why does dnsviz not show the TXT record without selecting it in Advanced?

It was simply a choice of efficiency.  By default queries for MX, TXT, NS, and SOA are only issued if the name is a zone apex because it is more common to see those records at a zone apex.  It would be a bit slower and require more storage to keep track of the less common case.  The option of specifying TXT (and others) allows some flexibility beyond the defaults.