[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Miek Gieben miek at miek.nl
Fri Feb 24 16:53:11 UTC 2012

[ Quoting <wouter at NLnetLabs.nl> at 17:19 on Feb 24 in "Re: [nsd-users] wild..." ]
> > That would indeed be a nice thing to do if you are an auth. server.
> > But such a rule still doesn't help a resolver hitting a cache
> > (which, for whatever reason, just doesn't have the RRSIG).
> Unbound does validate RRSIGs on data from ANY queries.  Because the
> reasoning is that it has to protect its downstream client from bogus
> data.  And the downstream client may be old (i.e. do ANY queries for
> mail and no DNSSEC) and need to be given SERVFAIL.  Thus, it validates
> the data.  It does not check if the data is complete (i.e. with the
> NSEC) because it may indeed be partial from the cache.
> It also validates data where someone does a +norec query to unbound
> and its not in cache and thus a cache-referral is returned.  This data
> is then also validated (the 'proof' consists of checking the signatures).

But what if an RRSIG expires from the cache and then you get an ANY
query? Unbound is then forced to give out an incomplete answer. 

> Unbound takes the same view to additional section RRs.  Those are not
> really required always and to be validated, but to protect the client
> from bogus data it will verify the RRsets there.  If some a bogus, but
> the message can be make secure by simply removing it, then the
> additional RRset is removed (this means, an RRSIG that does not fit at
> the end does not make the message bogus).

That's interesting to read and a real nice way of dealing with the
additional section and DNSSEC.

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120224/1cee29cc/attachment.bin>

More information about the nsd-users mailing list