message is bogus, non secure rrset with Unbound as local caching resolver

Havard Eidnes he at uninett.no
Fri Mar 4 10:39:14 UTC 2016


>> Following the "not a bug" response from the BIND maintainers 
>> yesterday evening, can you please point to chapter and verse 
>> mandating this behaviour for non-authoritative recursive 
>> resolvers?
>
> RFC4035 3.2.3 for validators, all RRsets in answer and authority
> sections should be authentic ...

That's an incomplete quote.  A more complete quote would be:

3.2.3.  The AD Bit

   The name server side of a security-aware recursive name server MUST
   NOT set the AD bit in a response unless the name server considers all
   RRsets in the Answer and Authority sections of the response to be
   authentic.  The name server side SHOULD set the AD bit if and only if
   the resolver side considers all RRsets in the Answer section and any
   relevant negative response RRs in the Authority section to be
   authentic. [...]

However, since the CD ("Checking Disabled") bit is set in the query
Unbound sends to its forwarder, the AD ("Authentic Data") bit is of
course not set in its response, so this whole section doesn't really
apply.

Please also note that this section only talks about setting the AD
bit, not about whether it's mandatory to include "all required DNSSEC
records that the querier is missing and which are required to validate
the included information".

If such or a similar mandate exists on a recursive resolver, it must
come from elsewhere.

Therefore my suggestion: "If the validator needs more information to
complete validation, it had better ask for it explicitly."

As has been pointed to elsewhere in this thread there's a question of
whether setting the CD bit in queries sent to a forwarder is
appropriate, but RFC 6840 (Clarifications and Implementation notes for
DNS security) seems to recommend the practice, ref. section 5.9, but
also lists a number of different ways this can be done, ref. appendix
B, which also mentions the possibility of there being more than one
validator on the path, as can be the case when using a forwarder.

Regards,

- Håvard



More information about the Unbound-users mailing list