[Unbound-users] bug ? atleast a difference in behaviour
Leen Besselink
leen at consolejunkie.net
Sun Sep 6 18:55:42 UTC 2009
Jaap Akkerhuis wrote:
> So powerdns-recursor uses the glue and treats it as authoritative
> data. Perhaps it has an option to change that and allow
> "hardening" of the data too (kind of as per
> draft-wijngaards-dnsext-resolver-side-mitigation-01)
>
> Unbound seems to want to verify the glue at the authoritative
> server. That' s why I thought of unbound's harden-referral-path:
> setting. It's ony of the anti-kaminsky measures of not just
> blindly trusting any using glue you got. Since there is no
> working authoritative source for titan.net, unbound with
> harden-referral-path: yes fails to resolve titan.net and therefor
> insecure.org.
>
> Note that zonecheck.fr and similar sites apparently don't believe
> the glue either.
>
I'm not a protocol expert, but why would you not trust the toplevel
nameserver if DNSSEC isn't enabled ?
> jaap
>
More information about the Unbound-users
mailing list