Unbound and DNSSEC - different answers from 1.4.22 and 1.5.6
Casey Deccio
casey at deccio.net
Wed Nov 25 16:08:39 UTC 2015
On Wed, Nov 25, 2015 at 10:19 AM, Aleš Rygl <unbound-users at unbound.net>
wrote:
> I am running Unbound 1.4.22 on Debian 7.9 for production and have also
> installed Unbound 1.5.6-1 on Debian 8.2. Both are validating with nearly
> identical config.
>
In the 1.5.5 release, the following default behavior changed:
- Change default of harden-algo-downgrade to off. This is lenient for
algorithm rollover.
(https://www.unbound.net/pipermail/unbound-users/2015-October/004055.html)
>From the unbound.conf man page:
harden-algo-downgrade - Harden against algorithm downgrade when multiple
algorithms are advertised in the DS record. If no, allows the weakest
algorithm to validate the zone. Default is no. Zone signers must
produce zones that allow this feature to work, but sometimes they do
not, and turning this option off avoids that validation failure.
(https://www.unbound.net/documentation/unbound.conf.html)
> According to the dnsviz.net the domain seems to be DNSSEC broken.
>
Well, "broken" might be strong, but it has errors on the signer side
because the RRsets are signed by only one of the algorithms that appear in
the DS RRset:
http://dnsviz.net/d/mikulasske.cz/VlXMmQ/dnssec/
There is a validation path using one of the algorithms, but because it is
not signed with both, unbound will only validate it if
harden-algo-downgrade is off. Again, the default behavior changed between
versions, which explains why validation works for one and not for the other.
Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20151125/39c968fe/attachment.htm>
More information about the Unbound-users
mailing list