[Unbound-users] bug ? atleast a difference in behaviour

Leen Besselink leen at consolejunkie.net
Sun Sep 6 23:06:42 UTC 2009

Paul Wouters wrote:
> On Sun, 6 Sep 2009, Leen Besselink wrote:
>> I'm not a protocol expert, but why would you not trust the toplevel
>> nameserver if DNSSEC isn't enabled ?
> The records are "hints". They are published not by the zone owners,
> but by there parents. This is required to void a recursion loop.
> If you need ns1.example.com. to find ns1.example.com. someone else
> will have to tell you. This is what glue records are for.

I know this part.

> Since these are "out of zone" records, they are considered hints.
> It's common sense to verify the information at the proper source.

The problem I see with that is, the proper source is just as
trustworthy as the parent.

Which is: not much, if any, atleast without something like DNSSEC to
verify something.

If we'd be talking about a CNAME that would something else, when we
were talking about "out of zone" records. But the parent-zone ?

If we can't trust the parent-zone a little, we can't trust the child,
because the parent-zone pointed us to it.

> It's like verifying gossip :)
> Paul

Not that I want to argue with a DNS-expert, but I'm just surprised
at the answer.

Ooh, darn I think I know now, it's because it's a different domain,
isn't it ?

titan.net or it's parents, other then the root are in no way related
to nmap.org.

I wonder if Bert considers it a bug in 3.1.7 ?

More information about the Unbound-users mailing list