<div dir="ltr">It's not broken in unbound. He was using the ODVR unbound instance in his examples, which I also tested against. And I have some unbound based systems at work.<div><br></div><div><a href="https://www.dns-oarc.net/oarc/services/odvr">https://www.dns-oarc.net/oarc/services/odvr</a> </div><div><br></div><div>As I and others illustrated in the <a href="http://dnsviz.net">dnsviz.net</a> results, <a href="http://www.salliemae.com">www.salliemae.com</a> validates properly as a secure alias pointing to a secure target. The A records for <a href="http://salliemae.com">salliemae.com</a> also validate properly. Other records and responses *are* broken. As others have mentioned I'm also curious how they managed to break portions of their zone in such an odd way. But the issue resolving an A record for <a href="http://salliemae.com">salliemae.com</a> and for <a href="http://www.salliemae.com">www.salliemae.com</a> in your deployment of unbound indicates something else is also at play that appears specific to your recursive nameserver deployment, not to unbound generally for at least the A records for those two specific names. Those should validate properly and return results, not a SERVFAIL. And they do everywhere I can check. So that indicates a different issue for that portion of your results.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 8, 2019 at 1:34 PM Robert Blayzor <<a href="mailto:rblayzor.bulk@inoc.net">rblayzor.bulk@inoc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 8/8/19 2:07 PM, Joe Abley wrote:<br>
> I get a response with a signature:<br>
> <br>
> [anchovy:~]% dig @<a href="http://184.105.193.74" rel="noreferrer" target="_blank">184.105.193.74</a> <a href="http://salliemae.com" rel="noreferrer" target="_blank">salliemae.com</a> IN A +dnssec +multiline<br>
<br>
<br>
I think it was more my point is that their NS records and SOA records<br>
return a bad signature and hence SERVFAIL.<br>
<br>
I would probably expect that to cause all kinds of other problems;<br>
perhaps thats the reason why it's broken in unbound.<br>
<br>
This is the only domain I'm having a problem with with unbound<br>
resolving. Like I said, in unbound I'm sometimes getting a timeout and<br>
other times just getting a SERVFAIL.<br>
<br>
<br>
-- <br>
<a href="http://inoc.net" rel="noreferrer" target="_blank">inoc.net</a>!rblayzor<br>
XMPP: <a href="http://rblayzor.AT.inoc.net" rel="noreferrer" target="_blank">rblayzor.AT.inoc.net</a><br>
PGP: <a href="https://pgp.inoc.net/rblayzor/" rel="noreferrer" target="_blank">https://pgp.inoc.net/rblayzor/</a><br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>