Maintained by: NLnet Labs

[Unbound-users] small bug ?

Stephan Lagerholm
Thu Feb 4 16:12:37 CET 2010


Val-permissive-mode only instructs unbound to return a bogus answer but
not to set the AD-flag (instead of returning servfail). So it will not
disable DNSSEC validation.

I wish I had an unbound to test with where I am right now, but reading
from the manual page you might want to try the module-config option to
turn off DNSSEC validation.

  module-config: <"module names">
              Module  configuration,  a list of module names separated
by spaces, surround the string with quotes (""). The  modules  can  be
validator,  iterator.  Setting this to "iterator" will result in a
non-validating server.  Setting this to  "validator  iterator" will
turn on DNSSEC validation.  The ordering of the modules is important.
You must also set trust-anchors for validation to be useful.

Thanks, S
----------------------------------------------------------------------
Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
Cell: 469-834-3940

> -----Original Message-----
> From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-
> bounces at NLnetLabs.nl] On Behalf Of Paul Wouters
> Sent: Thursday, February 04, 2010 3:35 PM
> To: Leen Besselink
> Cc: unbound-users at unbound.net
> Subject: Re: [Unbound-users] small bug ?
> 
> On Thu, 4 Feb 2010, Leen Besselink wrote:
> 
> > And I found out unbound was sending queries with the D0-bit set, but
it
> isn't
> > configured to actually validate anything.
> 
> unbound does validation per default. You can disable this using
> 
> val-permissive-mode:yes
> 
> however, it will still perform queries with the DO bit, and
validation.
> It will just pass the data along anyway (as if the client send the CD
bit)
> 
> > Is their a way to turn this off when needed (for example if I'm
running
> > unbound on a laptop and am somewhere with a bad firewall) ?
> 
> unbound should recover from those failures (eg TCP 53 firewalled, or
> UDP >512bytes failing) by itself.
> 
> Paul
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users