[Unbound-users] testing validation failure
Taylor R Campbell
campbell+unbound at mumble.net
Wed Mar 17 18:36:38 UTC 2010
I am trying to make Unbound act as a recursive resolver that answers
with and caches secure and insecure data, but not bogus data, using
the IANA ITAR trust anchors. In particular, I want replies with the
AD bit clear to mean that the relevant data are insecure, and I want
the resolver to return an error when all it can find is bogus data.
However, my attempts so far have been met with failure, so I assume I
must be doing something wrong, and I should like to know how to do it
I installed Unbound 1.4.2 (on a 32-bit machine not running Mac OS X or
Solaris, so I haven't upgraded to 1.4.3) and ran it with the following
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
named.cache is from <ftp://ftp.internic.net/domain/named.cache>, as of
anchors.mf is from <https://itar.iana.org/anchors/anchors.mf>, as of
Both files are in /var/chroot/unbound. unbound-checkconf is happy
with my configuration file.
When I query Unbound for badsign-a.test.dnssec-tools.org's A record,
it happily hands back an A record, even though the authoritative
nameserver gives a bad signature:
% dig @localhost. badsign-A.test.dnssec-tools.org. a
;; ANSWER SECTION:
badsign-A.test.dnssec-tools.org. 86400 IN A 18.104.22.168
% drill @localhost. badsign-A.test.dnssec-tools.org. a
;; ANSWER SECTION:
badsign-A.test.dnssec-tools.org. 86386 IN A 22.214.171.124
I want Unbound to give an error in this case, not simply an answer
with the AD bit clear.
If I replace
then I get back SERVFAIL as I expected. dlv.isc.org.key is from
<http://ftp.isc.org/www/dlv/dlv.isc.org.key>, as of 2010-03-10, and is
also stored in /var/chroot/unbound.
Let me know if you would like to see log messages, or any other
information about my configuration or tests.
More information about the Unbound-users