Unbound does not honor forwarder DNSSEC verification?
daisuke.higashi at gmail.com
Tue Mar 1 12:16:33 UTC 2016
The issue may not related to bug #681.
Unbound always forwards query with CD=1 to forwarder,
so Unbound doesn't honor forwarder DNSSEC verification (I forgot it!)
So if you disabled DNSSEC validation you will get "insecure" answer.
If you want SERVFAIL for www.dnssec-failed.org you have to enable
2016-03-01 20:47 GMT+09:00 Daisuke HIGASHI <daisuke.higashi at gmail.com>:
> Please show us "how to repeat" such as your unbound configuration
> or procedure to see the problem...
> Possible bug (feature?) concern the issue is .
> In Unbound-1.5.4 and older, "unbound-control forward_add . 220.127.116.11"
> adds forwarder with "forward-first: yes"
> It makes Unbound to retry recursion by itself if 18.104.22.168 returns SERVFAIL.
>  https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=681
> 2016-03-01 12:12 GMT+09:00 la9k3 via Unbound-users <unbound-users at unbound.net>:
>> Hi, I have been looking online for some time try to fix this problem, hopefully
>> this is the right last resort place.
>> Is there a way to make unbound honor my forwarder's dnssec validation?
>> For example, I use unbound as a caching forwarder and have "." set as a
>> forwarding zone that forwards everything to Google's public DNS
>> However, when I test dnssec, I get a valid reply from servers such
>> as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
>> my normal resolver, in which case I get a SERVFAIL response.
>> Is this possible? I have trouble understanding why unbound would give a
>> valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
>> empty answer.
More information about the Unbound-users