Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 16:58:38 +, Tony Finch wrote: > Olav Morken via Unbound-users wrote: > > > > info: validate(cname): sec_status_secure > > info: validate(positive): sec_status_secure > > info: message is bogus, non secure rrset uninett.no. NS IN > > > >

Re: message is bogus, non secure rrset with Unbound as local caching resolver

>> The "right" thing is to have RRSIGs for all elements of the >> answer and authority sections. This is mandated by >> RFC4034,4035. All the RRsets in the answer and authority >> section MUST validate to mark the response as valid. > > FYI, I've submitted a tentative bug report to the BIND

Re: message is bogus, non secure rrset with Unbound as local caching resolver

> The "right" thing is to have RRSIGs for all elements of the > answer and authority sections. This is mandated by > RFC4034,4035. All the RRsets in the answer and authority > section MUST validate to mark the response as valid. FYI, I've submitted a tentative bug report to the BIND maintainers

Re: message is bogus, non secure rrset with Unbound as local caching resolver

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Havard, On 02/03/16 20:20, Havard Eidnes via Unbound-users wrote: >>> Unfortunately, the BIND server only tends to return responses >>> where the authority-section has NS-records but no RRSIG-record >>> during the night. I suspect it has

Re: message is bogus, non secure rrset with Unbound as local caching resolver

>> Unfortunately, the BIND server only tends to return responses where >> the authority-section has NS-records but no RRSIG-record >> during the night. I suspect it has something to do with >> traffic levels and what other systems are accessing it. It >> makes it all a bit hard to troubleshoot.

Re: message is bogus, non secure rrset with Unbound as local caching resolver

Olav Morken via Unbound-users wrote: > > info: validate(cname): sec_status_secure > info: validate(positive): sec_status_secure > info: message is bogus, non secure rrset uninett.no. NS IN > > As far as I can tell, the problem here is caused by extra NS-records in

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 10:47:13 -0500, Paul Wouters wrote: > On Wed, 2 Mar 2016, Olav Morken via Unbound-users wrote: > > >Unfortunately, the BIND server only tends to return responses where the > >authority-section has NS-records but no RRSIG-record during the night. > >I suspect it has

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, 2 Mar 2016, Olav Morken via Unbound-users wrote: Unfortunately, the BIND server only tends to return responses where the authority-section has NS-records but no RRSIG-record during the night. I suspect it has something to do with traffic levels and what other systems are accessing it.

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 08:45:11 -0500, Casey Deccio wrote: > On Wed, Mar 2, 2016 at 6:39 AM, Olav Morken via Unbound-users < > unbound-users@unbound.net> wrote: > > > sorry for the rather longwinded email. In the interest of saving some > > time, here is a short summary: > > > > > Hi Olav, > >

message is bogus, non secure rrset with Unbound as local caching resolver

Hi, sorry for the rather longwinded email. In the interest of saving some time, here is a short summary: We get the error "message is bogus, non secure rrset" from Unbound in some cases when resolving a wildcard CNAME record. The cause appears to be an upstream BIND resolver that in some

Unbound 1.5.8 release

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Unbound 1.5.8 is available: http://www.unbound.net/downloads/unbound-1.5.8.tar.gz sha1 1391888d2e3395d766545cd3dbdf0f1879c48080 sha256 33567a20f73e288f8daa4ec021fbb30fe1824b346b34f12677ad77899ecd09be pgp