Hi,
I'm unable to resolve www.iana.org (aka ianawww.vip.icann.org) with
Unbound 1.6.7. Is this a problem with how the zones are signed, or is
Unbound being too strict?
$ unbound-host -D -t a www.iana.org
www.iana.org is an alias for ianawww.vip.icann.org.
ianawww.vip.icann.org has address 192.0.32.8
validation failure <www.iana.org. A IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 2001:500:8f::53 for key icann.org. while building chain of trust
Full "-ddd" verbosity output is attached.
Thanks!
(attachments)
unbound-host.txt (288 KB)
Robert Edmonds via Unbound-users:
validation failure <www.iana.org. A IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 2001:500:8f::53 for key icann.org. while building chain of trust
Robert,
did you compile unbound with "--disable-sha1"?
see https://unbound.net/pipermail/unbound-users/2017-April/004747.html
anyway, www.iana.org works fine here:
$ dig www.iana.org
; <<>> DiG 9.10.3-P4-Debian <<>> www.iana.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iana.org. IN A
;; ANSWER SECTION:
www.iana.org. 2725 IN CNAME ianawww.vip.icann.org.
ianawww.vip.icann.org. 30 IN A 192.0.32.8
;; Query time: 260 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 30 13:57:34 CET 2017
;; MSG SIZE rcvd: 89
Robert Edmonds via Unbound-users:
I'm unable to resolve www.iana.org (aka ianawww.vip.icann.org) with
Unbound 1.6.7. Is this a problem with how the zones are signed, or is
Unbound being too strict?
just noticed, your question is 8 days old ...
there was a problem with iana.org on 2017-10-24
-> http://dnsviz.net/d/www.iana.org/We-zyg/dnssec/
but that's fixed now
-> http://dnsviz.net/d/www.iana.org/dnssec/
Andreas