[Dnssec-trigger] Using dnssec-trigger when the forwarder lies

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 2 21:49:31 UTC 2012

[A bit of context: on 30th december 2011, the French governement
published the decree mandating DNS - yes, DNS is explicitely the
technque to use - filtering of online gambling sites. The problem may
also happen with the US project SOPA and many others.]

Today, dnssec-trigger considers the network-supplied name servers as
suitable if they transmit DNSSEC information (EDNS0, RRSIG, NSEC and
NSEC3, etc). It means that lying resolvers may be selected as
forwarders but will raise DNSSEC validation errors for some domains
(the censored ones).

Currently, the only workaround is to disable dnssec-trigger and to use
Unbound without forwarders. Which is bad (no more shared cache) for
the vast majority of domains where the network-supplied name servers
are OK.

I suggest the following algorithm: if DNSSEC validation error *and*
forwarders are in use, disable the forwarders for the current domain.

I assume it will require cooperation from Unbound. Does it seem

More information about the dnssec-trigger mailing list