[Unbound-users] bug ? atleast a difference in behaviour

Leen Besselink leen at consolejunkie.net
Sun Sep 6 18:55:42 UTC 2009

Jaap Akkerhuis wrote:
>     So powerdns-recursor uses the glue and treats it as authoritative
>     data.  Perhaps it has an option to change that and allow
>     "hardening" of the data too (kind of as per
>     draft-wijngaards-dnsext-resolver-side-mitigation-01)
>     Unbound seems to want to verify the glue at the authoritative
>     server. That' s why I thought of unbound's harden-referral-path:
>     setting. It's ony of the anti-kaminsky measures of not just
>     blindly trusting any using glue you got. Since there is no
>     working authoritative source for titan.net, unbound with
>     harden-referral-path: yes fails to resolve titan.net and therefor
>     insecure.org.
> Note that zonecheck.fr and similar sites apparently don't believe
> the glue either.

I'm not a protocol expert, but why would you not trust the toplevel
nameserver if DNSSEC isn't enabled ?

> 	jaap

More information about the Unbound-users mailing list