[Unbound-users] bogus resolution with forwarding and DLV
Tony Finch
dot at dotat.at
Wed Feb 4 11:23:23 UTC 2015
Jan Včelák <jan.vcelak at nic.cz> wrote:
>
> After inspecting responses from BIND and Unbound, I belive this is
> caused by BIND adding a NS RRs without a RRSIG added into the authority
> section of the answer.
> I don't know why BIND is adding the NS into the answer. But I think this
> is really a problem of BIND, as per
> http://tools.ietf.org/html/rfc4035#section-3.1.1:
>
> > o When placing a signed RRset in the Authority section, the name
> > server MUST also place its RRSIG RRs in the Authority section.
> > The RRSIG RRs have a higher priority for inclusion than any other
> > RRsets that may have to be included. If space does not permit
> > inclusion of these RRSIG RRs, the name server MUST set the TC bit.
I think you are right it is a bug in BIND. I also think Unbound should
discard the incomplete RRset rather than failing to return a response.
It looks like the bug in BIND is due to a combination of an unsigned NS
RRset that came from a referral, and validation turned off. I can't
reproduce the bug with my validating resolvers with a normal query but it
does occur if I set the CD bit.
Are you going to send this in to bind9-bugs at isc.org or would you like me
to do it?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire: Northerly 5 or 6, decreasing 4, backing southwesterly 4
or 5 later. Rough, becoming moderate. Wintry showers, rain later. Mainly good.
More information about the Unbound-users
mailing list