[Unbound-users] dnssec stripping not resulting in serv fail?
wouter at NLnetLabs.nl
Fri Jan 7 18:11:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 01/07/2011 05:53 PM, Paul Wouters wrote:
> I was recently at the SFO airport, and ran into a DNS server on their free
> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
> the DO bit.
It should servfail.
> In my case, I had unbound running and configured it to use the dhcp
> forwarder using: unbound-control forward 18.104.22.168
But that statement leaves the cache intact, where a previously validated
(at home or the office) RR may reside.
> It was just primed with the root key. There is a trust path from the
> root all
> the way down to xelerance.org. However, unbound gave me the IP without me
> specifying the CD bit. It logged:
> unbound: [23014:0] info: incoming scrubbed packet: ;;
If you start logging it should log lots more than that. If you get
there again, it could be helpful to clear the cache and then try with
I think you had a valid entry in the cache, that was returned, without
actually sending queries at SFO.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users