Hi Stephane On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote: > DNSviz, like Unbound, says the domain is broken: > > http://dnsviz.net/d/cepn.asso.fr/VOGwhA/dnssec/
DNSviz complains about missing RRs, but shows "status:SECURE" in
epn.asso.fr. with green outlines for DNSKEY, SOA, MX unlike for a bad
zone where it would show "status:INSECURE".
DNSviz also has explanation for why the green shapes are secure.
There was a DS with algorithm=8 in the parent (fr.), but no
corresponding DNSKEYs in the child zone. But there is a valid
authentication chain through the algorithm=5 keys.
I skimmed through this and haven't looked at any fields of the RRs;
maybe there is a different reason from the above why Unbound doesn't
validate, or rather returns SERVFAIL.
Mukund
pgpThA82V9IYo.pgp
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
