Unbound does not honor forwarder DNSSEC verification?
daisuke.higashi at gmail.com
Tue Mar 1 11:47:47 UTC 2016
Please show us "how to repeat" such as your unbound configuration
or procedure to see the problem...
Possible bug (feature?) concern the issue is .
In Unbound-1.5.4 and older, "unbound-control forward_add . 126.96.36.199"
adds forwarder with "forward-first: yes"
It makes Unbound to retry recursion by itself if 188.8.131.52 returns SERVFAIL.
2016-03-01 12:12 GMT+09:00 la9k3 via Unbound-users <unbound-users at unbound.net>:
> Hi, I have been looking online for some time try to fix this problem, hopefully
> this is the right last resort place.
> Is there a way to make unbound honor my forwarder's dnssec validation?
> For example, I use unbound as a caching forwarder and have "." set as a
> forwarding zone that forwards everything to Google's public DNS
> However, when I test dnssec, I get a valid reply from servers such
> as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
> my normal resolver, in which case I get a SERVFAIL response.
> Is this possible? I have trouble understanding why unbound would give a
> valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
> empty answer.
More information about the Unbound-users