[Unbound-users] small bug ?
stephan.lagerholm at secure64.com
Thu Feb 4 15:12:37 UTC 2010
Val-permissive-mode only instructs unbound to return a bogus answer but
not to set the AD-flag (instead of returning servfail). So it will not
disable DNSSEC validation.
I wish I had an unbound to test with where I am right now, but reading
from the manual page you might want to try the module-config option to
turn off DNSSEC validation.
module-config: <"module names">
Module configuration, a list of module names separated
by spaces, surround the string with quotes (""). The modules can be
validator, iterator. Setting this to "iterator" will result in a
non-validating server. Setting this to "validator iterator" will
turn on DNSSEC validation. The ordering of the modules is important.
You must also set trust-anchors for validation to be useful.
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
> -----Original Message-----
> From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-
> bounces at NLnetLabs.nl] On Behalf Of Paul Wouters
> Sent: Thursday, February 04, 2010 3:35 PM
> To: Leen Besselink
> Cc: unbound-users at unbound.net
> Subject: Re: [Unbound-users] small bug ?
> On Thu, 4 Feb 2010, Leen Besselink wrote:
> > And I found out unbound was sending queries with the D0-bit set, but
> > configured to actually validate anything.
> unbound does validation per default. You can disable this using
> however, it will still perform queries with the DO bit, and
> It will just pass the data along anyway (as if the client send the CD
> > Is their a way to turn this off when needed (for example if I'm
> > unbound on a laptop and am somewhere with a bad firewall) ?
> unbound should recover from those failures (eg TCP 53 firewalled, or
> UDP >512bytes failing) by itself.
> Unbound-users mailing list
> Unbound-users at unbound.net
More information about the Unbound-users