[Dnssec-trigger] Feature creep :) was Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. (fwd)
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Mon Nov 28 14:42:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
Such caches set the RA flag on the reply. Unbound has a fallback
already builtin where it sees the RA flag and retries with +RD. It also
dislikes the result immensely, and will only try it at last resort.
Sometimes people deploy a recursor instead of authoritative slave and
this happens on the normal internet.
Dnssec-trigger in the last version notices the transparent proxy and
stop lookups (entirely!) via the transparent proxy. It does not attempt
a +RD retry via the transparent proxy, which is complicated I think,
because I am not sure how to make it work once detected: would
forward-zone: "." and a root-server forward-addr work, i.e. pretend the
root server is a cache and let the transparent proxy cache via that address?
Best regards,
Wouter
On 11/15/2011 06:52 AM, Paul Wouters wrote:
>
> Should unbound and dnssec-trigger be extended to look at this?
>
> As Paul Vixie said before "Clear path DNS is not engineering - it is
> infomation warfare"
>
> Paul
>
> ---------- Forwarded message ----------
> Date: Fri, 2 Sep 2011 03:32:09
> From: Paul Vixie <vixie at isc.org>
> To: dnssec-deployment at dnssec-deployment.org
> Subject: Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too.
>
>> From: Mark Andrews <marka at isc.org>
>> Date: Fri, 02 Sep 2011 10:13:48 +1000
>>
>> Just the other day I was sitting in a hotel with "transparent"
>> intercepting DNS cache. This was not a issue for DNSSEC validation
>> because it was DNSSEC aware and returned the records which allowed
>> me to validate the responses. The only thing I need to tweak was
>> to set RD=1 on all queries or else the "transparent" intercepting
>> DNS cache wouldn't recurse for me.
>
> is this RD=1 fallback something we should enshrine in BIND and/or an RFC?
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO053JAAoJEJ9vHC1+BF+Nl00P/j+2VUVEwdQE40PPYCcbw0WE
CPRdnQlj5zi2oF2B/Y8yGps3RvBYTeE+IljtNUQb9pamYxJc8bcKUyF8j6/QCY7D
MIFAdGx5JpLBNp/zdkqfrBo721xI/k93yQ1HCq9+rR1FWq96oqyzwXVrV/w7bwCA
qvJkyUWWKVJWt7NUAfWGFMYWDGID4+sVy6urybhMmO98TN1fkbNarcA/F9GRRa5Q
tpR2uC9sHBizfGrwammPG3oqhBXBQxmqmiStlq0Wgpj7hx0QlYYSCw+6WqM29i/B
fSlu05Zj25xFc1ycsKs0BhMP/kMl/XyrJo+zVAWftcdohwaUfK2DdcCOjrW1elOE
sfZlYM2nTy0iJwr67+jvEAFBU1OpB2gHGifdqsBrSQ0mva3uU3jh+oGPcPxKitDz
IXzZmyTSrM4W1Jl6u2B4Q/QlP/f7wJm2TmlgaM/SgfNCS70Jss7+QYSX3ggkpcLe
F2wT8s0ptYjSqf5VuRH1f7O3XGFmv1WHL1YnCf07Bl6+BQAq/LNGk0AJovx5Qo3Z
xjS/6ThYMojP7yyPI/0nuYG8TEhwGeytae38zvRBeIN+6nhWyhMW2KaqmJgrB0B6
3dEKzs204qZmZq8/VRtWahrMtWtMiBcVYR1NPJYG52vOySP9kNLe3B8XZ+J69Z1i
p8LVlIYuXTTjfhNI8RZu
=iGhA
-----END PGP SIGNATURE-----
More information about the dnssec-trigger
mailing list