[Unbound-users] dnssec stripping not resulting in serv fail?
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Fri Jan 7 18:11:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
On 01/07/2011 05:53 PM, Paul Wouters wrote:
>
> Hi,
>
> I was recently at the SFO airport, and ran into a DNS server on their free
> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
> with
> the DO bit.
It should servfail.
> In my case, I had unbound running and configured it to use the dhcp
> supplied
> forwarder using: unbound-control forward 1.2.3.4
But that statement leaves the cache intact, where a previously validated
(at home or the office) RR may reside.
> It was just primed with the root key. There is a trust path from the
> root all
> the way down to xelerance.org. However, unbound gave me the IP without me
> specifying the CD bit. It logged:
>
> unbound: [23014:0] info: incoming scrubbed packet: ;;
If you start logging it should log lots more than that. If you get
there again, it could be helpful to clear the cache and then try with
logging enabled.
I think you had a valid entry in the cache, that was returned, without
actually sending queries at SFO.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk0nV0UACgkQkDLqNwOhpPi3vQCdF2Igbd20iF6a5uMbQpke4Yp2
F/EAoJNqzC2q+t+j6/2IBx7CunY8/dux
=ZdQB
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list