message is bogus, non secure rrset with Unbound as local caching resolver
Havard Eidnes
he at uninett.no
Thu Mar 17 17:23:23 UTC 2016
> But unbound is trying to set the AD flag in its reply. And thus it
> needs all the RRsets to be secure. Thus, the reply from the forwarder
> with CD flag becomes bogus.
Yes, I know unbound is trying to validate the answer. However,
insisting that a recursor return all pertinent data required for
validation of the response, especially with cd=1 set in the query,
is unreasonable.
> I fixed it so that Unbound uses CD=0 to send queries to a forwarder.
> Unless a dnssec trust anchor exists above the qname, in which case CD=0
> is only attempted on the first query.
Not sure I understand what it means to have a "trust anchor exist
above the qname", but otherwise I suspect and hope this will cure
the problem.
> CD flag is still used on all queries to authorities.
Of course.
Regards,
- Håvard
More information about the Unbound-users
mailing list