[polri.go.id DNS issues, glueless delegation, confusing NSEC???]
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Mar 3 21:33:34 UTC 2017
On Thu, Mar 02, 2017 at 01:35:41PM +0100, W.C.A. Wijngaards wrote:
> What is happening is that the domain has both a signed parent and
> unsigned child-zones co-hosted.
Correct, and also missing glue records for the delegation from one
to other, and the child zones happen to be the nameservers for both.
> This confuses unbound's
> dnssec-missing-response failover that starts to look for alternatives.
> This takes a long time because of the timeouts because of the
> non-responding servers. After a while it gets that no better
> alternative exists, uses the unsigned response and this is correctly
> insecure for DNSSEC. But these timeout could cause issues, I guess.
What I see (from time to time) seems more than just transient
timeouts. Anyway the domain has multiple configuration issues
that its owners should resolve.
If this brings to light something worth improving in unbound that'd
be cool too, but so far so I've not identified any specific unbound
problem.
--
Viktor.
More information about the Unbound-users
mailing list