[Unbound-users] bogus resolution with forwarding and DLV

Tony Finch dot at dotat.at
Wed Feb 4 11:23:23 UTC 2015

Jan Včelák <jan.vcelak at nic.cz> wrote:
> After inspecting responses from BIND and Unbound, I belive this is
> caused by BIND adding a NS RRs without a RRSIG added into the authority
> section of the answer.

> I don't know why BIND is adding the NS into the answer. But I think this
> is really a problem of BIND, as per
> http://tools.ietf.org/html/rfc4035#section-3.1.1:
> >    o  When placing a signed RRset in the Authority section, the name
> >       server MUST also place its RRSIG RRs in the Authority section.
> >       The RRSIG RRs have a higher priority for inclusion than any other
> >       RRsets that may have to be included.  If space does not permit
> >       inclusion of these RRSIG RRs, the name server MUST set the TC bit.

I think you are right it is a bug in BIND. I also think Unbound should
discard the incomplete RRset rather than failing to return a response.

It looks like the bug in BIND is due to a combination of an unsigned NS
RRset that came from a referral, and validation turned off. I can't
reproduce the bug with my validating resolvers with a normal query but it
does occur if I set the CD bit.

Are you going to send this in to bind9-bugs at isc.org or would you like me
to do it?

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire: Northerly 5 or 6, decreasing 4, backing southwesterly 4
or 5 later. Rough, becoming moderate. Wintry showers, rain later. Mainly good.

More information about the Unbound-users mailing list