unbound API and authenticated data

George Thessalonikefs george at nlnetlabs.nl
Tue Jul 21 16:04:51 UTC 2020


Hi Anthony,

It would be better if you give an example of what you are trying to achieve.

If you trust your upstream (e.g., forwarding to a trusted resolver that
checks DNSSEC) you can disable validation by not including `validator`
in the modules configuration (`module-config:`).

If validation is disabled, unbound cannot check the DNSSEC state.

Best regards,
-- George


On 15/07/2020 18:51, Modster, Anthony wrote:
> Hello George
> 
> So for this case, the AD state is ignored by unbound.
> - If unbound receives the AD, it means that the upstream *signals* that
>   it has verified the query response. Unbound will not trust this and
>   will always do validation (unless not configured).
> 
> What configuration parameter can be used to disable validation ?
> 
> If validation is disable will unbound check the AD state ?
> 
> Note: we are using unbound as a client resolver.
> 
> -----Original Message-----
> From: Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> On Behalf Of George Thessalonikefs via Unbound-users
> Sent: Wednesday, July 15, 2020 8:04 AM
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: unbound API and authenticated data
> 
> ---External Email---
> 
> Hi Anthony,
> 
> It is not clear to me by your text but:
> - If unbound receives the AD, it means that the upstream *signals* that
>   it has verified the query response. Unbound will not trust this and
>   will always do validation (unless not configured).
> - If unbound sets the AD, unbound itself has verified the response.
> 
> I can't give one answer for the other values because it depends on the response.
> Information for the values you asked can be found in your local man page for libunbound or online at https://www.nlnetlabs.nl/documentation/unbound/libunbound/ for the latest version.
> 
> Best regards,
> -- George
> 
> On 14/07/2020 20:20, Modster, Anthony via Unbound-users wrote:
>> Does anyone have the information below ?
>>
>>  
>>
>> *From:* Modster, Anthony
>> *Sent:* Wednesday, July 8, 2020 11:53 AM
>> *To:* Modster, Anthony via Unbound-users 
>> <unbound-users at lists.nlnetlabs.nl>
>> *Subject:* unbound API and authenticated data
>>
>>  
>>
>> Hello
>>
>>  
>>
>> We are using unbound API for DNSSEC resolve.
>>
>>  
>>
>> If the Authenticated Data (AD) flag is received and is set to "not 
>> validated" 0.
>>
>> What would be the states of the following flags:
>>
>>   * havedata
>>   * secure
>>   * bogus
>>
>>  
>>
>> Thanks
>>
>>  
>>
> 






More information about the Unbound-users mailing list