Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

W.C.A. Wijngaards
Mon Feb 9 12:53:49 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 09/02/15 01:55, Jaap Akkerhuis wrote:
> Viktor Dukhovni writes:
> 
>> On Sat, Feb 07, 2015 at 04:24:33PM +0100, Jan V?el?k wrote:
>> 
>>> The BIND developers claim, that the behavior of BIND is
>>> correct.

Unbound is fixed for more lenience.  It would be good to not make
messages DNSSEC bogus if it can be avoided.

DLV is not the motivation to fix this, but 'trust anchor differences
and validation'.

Best regards,
   Wouter

>>> 
>>> The upstream resolver (BIND) has DLV disabled and therefore
>>> uses a subset of trust anchors my local resolver (Unbound)
>>> uses. And the zone is insecure from the BIND's point of view.
>>> 
>>> Ignoring the fact, that BIND adds NS records into authority
>>> from no reason, omitting the NS RRSIGs is probably
>>> justifiable.
>> 
>> I think this is another good reason to stop using DLV.
> 
> Apparenlty there are plans to do so. There will be a talk about it 
> at ICANN-52 (See 
> <http://singapore52.icann.org/en/schedule/mon-tech/agenda-ccnso-tech-09feb15-en.pdf>.)
>
>  jaap _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU2J/NAAoJEJ9vHC1+BF+NurgP/0vKLZk13LidXtorLRe7DbCk
t393iJ4WHh+XrUFh8hY60R+kKffosXtGXen0QoRmNlbkmoWxQCV4Uu4JhzUeTYmD
+4kPGyjIxFW92o8Frnn+rfrsVWmGF+llEfEQaaMdBQtw4KDUdW2MI3waBLYkJI5c
93TG/gK55hp6Rt5pSy7vjzTpN9ZfX4Op8dj83po51g6moA7o6ZLnqQS8Ouo4xfPY
r4Rd2HCQpv0TE4Wz8HnWiqC+2wBk0EC2m/tmKQgTt3DohRkXXvmKBQi5cTaBomQA
IE/Ri+RLgzmlB5CzBxxIAYL3HW8KIV+K/SAuI3pxc3IkQxjEoSVr9Dq0S2s707Wc
2/EEsoqXVZUOPxgh4+FVLt6JfUWme8kFlbLhcMjX3oK90+qjZwkqcfTFZO4DnhPc
Uu+pnZAJMPFCAfIqR6h5nUlt65TaUdBxCFIbFAhgM7Jp5bVJHLu5UWGZxh6R06W2
2lL6MoIzDnNJQNgRgRDYaxhyoQuA+RmY2XR8Rbu7pZNydatP3Uy6tcnuCeHJoFNh
mBCxzwotUp+ok5qT+8hinoMLRF/L1ed8/vb3QQmwOP62uVrEKBWbkcaatZaT2cFY
bP2HVSkPtUJ147x/UOhBw9STTdNbcUYoTyYvFdMgbqWxv2Ke8vAh3H55ZexTjSmb
F+GQx48ePynZhKawdxJl
=2kQi
-----END PGP SIGNATURE-----