Disable additional OPT Accepts DNSSEC security RRs
Brian J. Murrell
brian at interlinx.bc.ca
Fri Mar 15 19:05:03 UTC 2024
Hi.
I am trying to get unbound to work in a particular captive environment
that provides it's own resolvers. For numerous reasons I want to run
my own resolver (using unbound of course) and have it query the captive
environment's resolvers.
The problem I seem to be running into though is that the captive
environment's resolvers don't seem to answer queries that include the
additional OPT RR that specifies that DNSSEC RRs are accepted.
I.e. in the below decode of a query packet from Wireshark:
Domain Name System (query)
Transaction ID: 0xd1ba
Flags: 0x0100 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
detectportal.firefox.com: type A, class IN
Name: detectportal.firefox.com
[Name Length: 24]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 1232
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x8000
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 0
That Additional records->OPT seems to be the difference between queries
that the environment's resolvers will ignore and ones that it will
answer.
I have already tried disabling DNSSEC validation with:
module-config: "iterator"
but that doesn't seem to suppress that Additional RR in the query. I
don't know a whole ton about DNSSEC but it seems useless to tell the
server that you are querying that you accept DNSSEC RRs if you are not
going to validate, so I was hopeful that removing the validator module
would achieve removing the Additional RR but it seems it does not.
Is there any other way at all to have unbound stop sending that
Additional RR so that I can at least validate my theory? Well, and
leave it disabled if my theory proves out. :-)
Cheers,
b.
More information about the Unbound-users
mailing list