message is bogus, non secure rrset with Unbound as local caching resolver

Tony Finch dot at
Thu Mar 3 10:49:23 UTC 2016

Havard Eidnes <he at> wrote:
> Come to think of it, anything you get from a recursive resolver are
> possibly cached hints, including what you get in the Answer section.

It isn't quite that bad due to the RFC 2181 trustworthiness ranking.

> > Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> > partially bogus answers and should handle them gracefully.
> Yep, as Olav replied, and the pcaps I capture on the BIND recursor
> agrees: CD=1 is set in the forwarded queries.

CD=1 is the wrong thing when querying a forwarder. When a domain is partly
broken, queries that work with CD=0 can be forced to fail with CD=1.

f.anthony.n.finch  <dot at>
Fitzroy, Sole, Lundy, Fastnet: West or northwest 5 to 7, perhaps gale 8 later.
Moderate or rough in Lundy, otherwise rough or very rough, occasionally high
later except in Fastnet. Rain or thundery showers. Good, occasionally poor.

More information about the Unbound-users mailing list