[Unbound-users] bogus resolution with forwarding and DLV
Jan Včelák
jan.vcelak at nic.cz
Wed Feb 4 12:05:48 UTC 2015
> It looks like the bug in BIND is due to a combination of an unsigned NS
> RRset that came from a referral, and validation turned off. I can't
> reproduce the bug with my validating resolvers with a normal query but it
> does occur if I set the CD bit.
I don't have access to the BIND server, so I don't know how exactly the server
is configured and which patches are applied. I know just what version.bind
TXT/CH reports.
The server performs validation, but DLV seems to be disabled. I get SERVFAIL
for incorrectly signed domains. But AD flag is cleared for fedorapeople.org.
I have also noticed something else: If I explicitly ask BIND for the NS
records with +dnssec, the server starts putting the missing NS RRSIG into the
subsequent queries for jvcelak.fedorapeople.org.
So if NS RRSIG is in BINDs cache, then validation via Unbound works.
> Are you going to send this in to bind9-bugs at isc.org or would you like me
> to do it?
I can provide only partial information about the BIND. So if you managed to
reproduce the problem, I would appreciate, if you could send the report. Feel
free to CC me.
As for Unbound, I believe that evaluating the resolution as bogus is too
strict.
Thanks for helping me to find the problem, everyone.
Best regards.
Jan
More information about the Unbound-users
mailing list