Disable additional OPT Accepts DNSSEC security RRs

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Mon Mar 18 10:45:16 UTC 2024 

Hi Brian,

The OPT record is for EDNS in general.
The DO bit is about DNSSEC and validation; part of the OPT record.

 From version 1.19.0 on, you can use 'disable-edns-do: yes' to turn the 
bit off; you would also need to keep the validator module removed 
otherwise that option would be ignored.

You can check like that if the DO bit is the culprit in your case.

If not, then probably the OPT record itself is.
For the same query in your example you could use:

     dig @resolver detectportal.firefox.com. +noedns

to check if that solves the problem.

If it does, the resolver mishandles EDNS and I cannot help you further 
with Unbound :)

Best regards,
-- Yorgos


On 15/03/2024 20:05, Brian J. Murrell via Unbound-users wrote:
> Hi.
> 
> I am trying to get unbound to work in a particular captive environment
> that provides it's own resolvers.  For numerous reasons I want to run
> my own resolver (using unbound of course) and have it query the captive
> environment's resolvers.
> 
> The problem I seem to be running into though is that the captive
> environment's resolvers don't seem to answer queries that include the
> additional OPT RR that specifies that DNSSEC RRs are accepted.
> 
> I.e. in the below decode of a query packet from Wireshark:
> 
> Domain Name System (query)
>      Transaction ID: 0xd1ba
>      Flags: 0x0100 Standard query
>      Questions: 1
>      Answer RRs: 0
>      Authority RRs: 0
>      Additional RRs: 1
>      Queries
>          detectportal.firefox.com: type A, class IN
>              Name: detectportal.firefox.com
>              [Name Length: 24]
>              [Label Count: 3]
>              Type: A (Host Address) (1)
>              Class: IN (0x0001)
>      Additional records
>          <Root>: type OPT
>              Name: <Root>
>              Type: OPT (41)
>              UDP payload size: 1232
>              Higher bits in extended RCODE: 0x00
>              EDNS0 version: 0
>              Z: 0x8000
>                  1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>                  .000 0000 0000 0000 = Reserved: 0x0000
>              Data length: 0
> 
> That Additional records->OPT seems to be the difference between queries
> that the environment's resolvers will ignore and ones that it will
> answer.
> 
> I have already tried disabling DNSSEC validation with:
> 
>    module-config: "iterator"
> 
> but that doesn't seem to suppress that Additional RR in the query.  I
> don't know a whole ton about DNSSEC but it seems useless to tell the
> server that you are querying that you accept DNSSEC RRs if you are not
> going to validate, so I was hopeful that removing the validator module
> would achieve removing the Additional RR but it seems it does not.
> 
> Is there any other way at all to have unbound stop sending that
> Additional RR so that I can at least validate my theory?  Well, and
> leave it disabled if my theory proves out.   :-)
> 
> Cheers,
> b.
>

More information about the Unbound-users mailing list