[Unbound-users] dnssec stripping not resulting in serv fail?
Paul Wouters
paul at xelerance.com
Sat Jan 8 22:06:45 UTC 2011
On Fri, 7 Jan 2011, W.C.A. Wijngaards wrote:
>> I was recently at the SFO airport, and ran into a DNS server on their free
>> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
>> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
>> with
>> the DO bit.
>
> It should servfail.
It did not.
>> In my case, I had unbound running and configured it to use the dhcp
>> supplied
>> forwarder using: unbound-control forward 1.2.3.4
>
> But that statement leaves the cache intact, where a previously validated
> (at home or the office) RR may reside.
I always restarted unbound fully.
> If you start logging it should log lots more than that. If you get
> there again, it could be helpful to clear the cache and then try with
> logging enabled.
I did capture the logs, mailed to you offlist.
> I think you had a valid entry in the cache, that was returned, without
> actually sending queries at SFO.
I don't think so. For each test I ran a "service unbound restart", and
since resolv.conf was not configured to use 127.0.0.1, nothing could
have used unbound until I started sending it queries for xelerance.org
after I ran the unbound-control forward statement.
Paul
More information about the Unbound-users
mailing list