message is bogus, non secure rrset with Unbound as local caching resolver

Tony Finch dot at
Thu Mar 3 11:43:30 UTC 2016

Havard Eidnes <he at> wrote:
> > CD=1 is the wrong thing when querying a forwarder. When a
> > domain is partly broken, queries that work with CD=0 can be
> > forced to fail with CD=1.
> Relly?  I interpreted the use of CD=1 as "I want to do my own
> DNSSEC validation, and therefore don't want or need the
> validation service which could be provided by the forwarder",
> especially as noted above when the communication isn't secured.
> It should not make much of a difference wrt. the validity of the
> end result whether the forwarder or the unbound resolver does the
> DNSSEC validation?

This current case is a perfect example: unbound works when it queries
upstream with CD=0 but not with CD=1.

If a domain is a bit broken then you can get bogus data into the upstream
cache using CD=1 and subsequent CD=1 queries will receive the bogus data.
If the downstream validator doesn't have an alternative resolution path it
is now stuck. But if it queries with CD=0 it can get unstuck.

You need to suppress bogus data at every point in the resolution path.

f.anthony.n.finch  <dot at>
Southeast Iceland: Easterly or northeasterly, 4 or 5, occasionally 6, becoming
variable 4 later in west. Moderate or rough, occasionally very rough later in
south. Mainly fair. Good.

More information about the Unbound-users mailing list