Hi,
my unbound 1.5.8 currently (as of 2016-05-17 23:43:16 UTC) successfully
verifies the DNSSEC signatures for gajim.org/A where the corresponding
RRSIG record currently looks like this (for full data see attached file
dig.txt):
gajim.org. 86398 IN RRSIG A 8 2 86400 20160517181943 [...]
So in my understanding that signature expired at 2016-05-17 18:19:43 UTC
which is a few hours ago and thus the query should result in a SERVFAIL.
unbound still returns that response, even with the AD flag set. Is that
supposed to happen?
Bind 9.9 in contrast refuses to verify the signature with the following
log messages:
validating @0x7fa464325070: gajim.org DNSKEY: verify failed due to bad
signature (keyid=16786): RRSIG has expired
validating @0x7fa464325070: gajim.org DNSKEY: verify failed due to bad
signature (keyid=42429): RRSIG has expired
validating @0x7fa464325070: gajim.org DNSKEY: no valid signature found (DS)
DNSViz.net also doesn't seem to be too happy with it:
<http://dnsviz.net/d/gajim.org/Vzuwgw/dnssec/>
I've also attached the output of 'unbound-control dump_cache' to ease
debugging, if there's anything else that might be helpful, tell me.
Regards,
Julian
(attachments)
dig.txt (1.83 KB)
dumpcache.txt (21.3 KB)