message is bogus, non secure rrset with Unbound as local caching resolver
dot at dotat.at
Thu Mar 3 11:43:30 UTC 2016
Havard Eidnes <he at uninett.no> wrote:
> > CD=1 is the wrong thing when querying a forwarder. When a
> > domain is partly broken, queries that work with CD=0 can be
> > forced to fail with CD=1.
> Relly? I interpreted the use of CD=1 as "I want to do my own
> DNSSEC validation, and therefore don't want or need the
> validation service which could be provided by the forwarder",
> especially as noted above when the communication isn't secured.
> It should not make much of a difference wrt. the validity of the
> end result whether the forwarder or the unbound resolver does the
> DNSSEC validation?
This current case is a perfect example: unbound works when it queries
upstream with CD=0 but not with CD=1.
If a domain is a bit broken then you can get bogus data into the upstream
cache using CD=1 and subsequent CD=1 queries will receive the bogus data.
If the downstream validator doesn't have an alternative resolution path it
is now stuck. But if it queries with CD=0 it can get unstuck.
You need to suppress bogus data at every point in the resolution path.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southeast Iceland: Easterly or northeasterly, 4 or 5, occasionally 6, becoming
variable 4 later in west. Moderate or rough, occasionally very rough later in
south. Mainly fair. Good.
More information about the Unbound-users