Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

Paul Wouters
Sat Jan 8 23:06:45 CET 2011


On Fri, 7 Jan 2011, W.C.A. Wijngaards wrote:

>> I was recently at the SFO airport, and ran into a DNS server on their free
>> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
>> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
>> with
>> the DO bit.
>
> It should servfail.

It did not.

>> In my case, I had unbound running and configured it to use the dhcp
>> supplied
>> forwarder using: unbound-control forward 1.2.3.4
>
> But that statement leaves the cache intact, where a previously validated
> (at home or the office) RR may reside.

I always restarted unbound fully.

> If you start logging it should log lots more than that.  If you get
> there again, it could be helpful to clear the cache and then try with
> logging enabled.

I did capture the logs, mailed to you offlist.

> I think you had a valid entry in the cache, that was returned, without
> actually sending queries at SFO.

I don't think so. For each test I ran a "service unbound restart", and
since resolv.conf was not configured to use 127.0.0.1, nothing could
have used unbound until I started sending it queries for xelerance.org
after I ran the unbound-control forward statement.

Paul