[Unbound-users] dnssec stripping not resulting in serv fail?
paul at xelerance.com
Sat Jan 8 22:06:45 UTC 2011
On Fri, 7 Jan 2011, W.C.A. Wijngaards wrote:
>> I was recently at the SFO airport, and ran into a DNS server on their free
>> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
>> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
>> the DO bit.
> It should servfail.
It did not.
>> In my case, I had unbound running and configured it to use the dhcp
>> forwarder using: unbound-control forward 220.127.116.11
> But that statement leaves the cache intact, where a previously validated
> (at home or the office) RR may reside.
I always restarted unbound fully.
> If you start logging it should log lots more than that. If you get
> there again, it could be helpful to clear the cache and then try with
> logging enabled.
I did capture the logs, mailed to you offlist.
> I think you had a valid entry in the cache, that was returned, without
> actually sending queries at SFO.
I don't think so. For each test I ran a "service unbound restart", and
since resolv.conf was not configured to use 127.0.0.1, nothing could
have used unbound until I started sending it queries for xelerance.org
after I ran the unbound-control forward statement.
More information about the Unbound-users