Maintained by: NLnet Labs

[Unbound-users] bug ? atleast a difference in behaviour

Jaap Akkerhuis
Sun Sep 6 19:31:08 CEST 2009


    So powerdns-recursor uses the glue and treats it as authoritative
    data.  Perhaps it has an option to change that and allow
    "hardening" of the data too (kind of as per
    draft-wijngaards-dnsext-resolver-side-mitigation-01)
    
    Unbound seems to want to verify the glue at the authoritative
    server. That' s why I thought of unbound's harden-referral-path:
    setting. It's ony of the anti-kaminsky measures of not just
    blindly trusting any using glue you got. Since there is no
    working authoritative source for titan.net, unbound with
    harden-referral-path: yes fails to resolve titan.net and therefor
    insecure.org.
    
Note that zonecheck.fr and similar sites apparently don't believe
the glue either.

	jaap