[Dnssec-trigger] [dns-operations] unbound-bind chain causing validation failures on synthesized records

Paul Wouters paul at cypherpunks.ca
Mon Jul 16 14:11:07 UTC 2012


On Mon, 16 Jul 2012, Ondřej Caletka wrote:

> Dne 10.7.2012 01:49, Paul Wouters napsal(a):
>> I'm CC:ing the dnssec-trigger list, as it might need to come up with a
>> new probe to detect this.
>
> I would also vote for this kind of detection. I already ran into the
> same issue when testing DNSSEC-trigger. The chaining problem seems fixed
> in BIND 9.9.0 and newer.

I've still seen issues with bind and 9.9.1 when configured with dnssec
but without validation.

> But since there are still so many BINDs 9.7
> running out there, it is not safe to forward your unbound to the
> DHCP-assigned DNS server. And current DNSSEC-trigger does not find out
> that something is wrong.

Though at some point the question would be, what's best? DNSSEC
protected resolving of most domains, or an insecure fallback?

> I created some testing page to test your ability to reach synthetised
> names. Feel free to try it:
> http://0skar.cz/dns/en/

Thanks, those are really useful!

Paul



More information about the dnssec-trigger mailing list