Description of problem: Doesn't validate repos.fedorapeople.org Version-Release number of selected component (if applicable): unbound-1.4.21-3.fc20.x86_64
That does not seem to exist, so why do you think it should validate? $ dig any repos.fedoraproject.org @ns-sb01.fedoraproject.org. ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19 <<>> any repos.fedoraproject.org @ns-sb01.fedoraproject.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31450 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;repos.fedoraproject.org. IN ANY ;; AUTHORITY SECTION: fedoraproject.org. 300 IN SOA ns04.fedoraproject.org. hostmaster.fedoraproject.org. 1110035712 3600 600 2419200 86400 ;; Query time: 50 msec ;; SERVER: 69.174.247.243#53(69.174.247.243) ;; WHEN: Fri May 09 11:21:14 EDT 2014 ;; MSG SIZE rcvd: 104
ohh. people..... you are mostl likely behind a broken bind forwarder with the cname/wildcard DNSSEC bug. you can check with sudo unbound-control list_forwards
See rhbz#id=824219
we now have some records we can use to test for this scenario in dnssec-trigger *._probe.us.com IN CNAME fedoraproject.org. *._probe.uk.com IN CNAME fedoraproject.org. *._probe.kr.com IN CNAME fedoraproject.org. *._probe.uk.net IN CNAME fedoraproject.org. Next is to extend the dnssec-triggerd dnssec tests to test for this bug
Related to https://bugzilla.redhat.com/show_bug.cgi?id=824219 ?
*** This bug has been marked as a duplicate of bug 824219 ***