On Wed, Mar 02, 2016 at 16:58:38 +, Tony Finch wrote:
> Olav Morken via Unbound-users wrote:
> >
> > info: validate(cname): sec_status_secure
> > info: validate(positive): sec_status_secure
> > info: message is bogus, non secure rrset uninett.no. NS IN
> >
> >
>> The "right" thing is to have RRSIGs for all elements of the
>> answer and authority sections. This is mandated by
>> RFC4034,4035. All the RRsets in the answer and authority
>> section MUST validate to mark the response as valid.
>
> FYI, I've submitted a tentative bug report to the BIND
> The "right" thing is to have RRSIGs for all elements of the
> answer and authority sections. This is mandated by
> RFC4034,4035. All the RRsets in the answer and authority
> section MUST validate to mark the response as valid.
FYI, I've submitted a tentative bug report to the BIND maintainers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Havard,
On 02/03/16 20:20, Havard Eidnes via Unbound-users wrote:
>>> Unfortunately, the BIND server only tends to return responses
>>> where the authority-section has NS-records but no RRSIG-record
>>> during the night. I suspect it has
>> Unfortunately, the BIND server only tends to return responses where
>> the authority-section has NS-records but no RRSIG-record
>> during the night. I suspect it has something to do with
>> traffic levels and what other systems are accessing it. It
>> makes it all a bit hard to troubleshoot.
Olav Morken via Unbound-users wrote:
>
> info: validate(cname): sec_status_secure
> info: validate(positive): sec_status_secure
> info: message is bogus, non secure rrset uninett.no. NS IN
>
> As far as I can tell, the problem here is caused by extra NS-records in
On Wed, Mar 02, 2016 at 10:47:13 -0500, Paul Wouters wrote:
> On Wed, 2 Mar 2016, Olav Morken via Unbound-users wrote:
>
> >Unfortunately, the BIND server only tends to return responses where the
> >authority-section has NS-records but no RRSIG-record during the night.
> >I suspect it has
On Wed, 2 Mar 2016, Olav Morken via Unbound-users wrote:
Unfortunately, the BIND server only tends to return responses where the
authority-section has NS-records but no RRSIG-record during the night.
I suspect it has something to do with traffic levels and what other
systems are accessing it.
On Wed, Mar 02, 2016 at 08:45:11 -0500, Casey Deccio wrote:
> On Wed, Mar 2, 2016 at 6:39 AM, Olav Morken via Unbound-users <
> unbound-users@unbound.net> wrote:
>
> > sorry for the rather longwinded email. In the interest of saving some
> > time, here is a short summary:
> >
> >
> Hi Olav,
>
>
Hi,
sorry for the rather longwinded email. In the interest of saving some
time, here is a short summary:
We get the error "message is bogus, non secure rrset" from Unbound in
some cases when resolving a wildcard CNAME record. The cause appears to
be an upstream BIND resolver that in some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
Unbound 1.5.8 is available:
http://www.unbound.net/downloads/unbound-1.5.8.tar.gz
sha1 1391888d2e3395d766545cd3dbdf0f1879c48080
sha256 33567a20f73e288f8daa4ec021fbb30fe1824b346b34f12677ad77899ecd09be
pgp
11 matches
Mail list logo