Zitat von "W.C.A. Wijngaards" <[email protected]>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Update for the disaster-tourists on the list - unbound logs with
val-log-level: 2 that the upstream bind sends expired signatures -
sleuthing continues ...
It seems more that unbound and bind disagree in their opinion if the
signature is expired or not. As said the time unbound starts failing
the same queries done directly to the upstream resolve *and* validate
fine. So the options are:
- Bind does not send the same data it is using for validation to the
downtsream (unbound) client. Would be a Bind bug i guess.
- Unbound and Bind do validation different (should not happen IMHO)
- Validation in Unbound for some cases is broken. Would be a bug in
Unbound i guess.
It would be nice to get help how to debug this as DNSSEC "by-hand" is
somewhat challenging.
Regards
Andreas
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
