Maintained by: NLnet Labs

[Unbound-users] small bug ?

Stephan Lagerholm
Thu Feb 4 12:47:59 CET 2010


Hi Leen,

I know the guy (Torbjorn Eklov) who wrote the script at test.ipv6.tk so
I asked him about the internals. It is a javascript that check if you
can reach www.trasigdnssec.se (brokendnssec in Swedish). The domain is
deliberately broken; there is a published DS record at the parent but no
corresponding DNSKEY at the child. So it has nothing to do with DO flag
set or not.

So if you can't resolve www.trasigdnssec.se you are obviously doing
validation somewhere.

Do you perhaps have a forwarder to something that validates?

-S
----------------------------------------------------------------------
Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
Cell: 469-834-3940

> -----Original Message-----
> From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-
> bounces at NLnetLabs.nl] On Behalf Of Leen Besselink
> Sent: Thursday, February 04, 2010 10:46 AM
> To: unbound-users at unbound.net
> Subject: [Unbound-users] small bug ?
> 
> Hi,
> 
> As someone with more interrest in DNS and DNSSEC than more people, I
> tried the following page:
> 
> http://test.ipv6.tk/
> 
> Now I have an unbound running on my machine, but it does not have
> anything configured to do validation.
> 
> But still this page says:
> 
> "Your ISP validates DNSSEC for .se"
> 
> So I tried again with the latest version of unbound and created a
> pcap-file to see what was going on.
> 
> And I found out unbound was sending queries with the D0-bit set, but
it
> isn't configured to actually validate anything.
> 
> Is their a way to turn this off when needed (for example if I'm
running
> unbound on a laptop and am somewhere with a bad firewall) ?
> 
> Is this a bug or is this on purpose ?
> 
> Just a few questions I came up with while I was typing this. :-)
> 
> Anyway, thank you for creating Unbound.
> 
> Have a nice day,
>      Leen.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users