Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

Paul Wouters
Fri Jan 7 17:53:17 CET 2011


I was recently at the SFO airport, and ran into a DNS server on their free
wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec with
the DO bit.

In my case, I had unbound running and configured it to use the dhcp supplied
forwarder using: unbound-control forward

It was just primed with the root key. There is a trust path from the root all
the way down to However, unbound gave me the IP without me
specifying the CD bit. It logged:

unbound: [23014:0] info: incoming scrubbed packet: ;;

I had harden-dnssec-stripped:yes

I'm not very comfortable that applications receive this potentially forged data,
even if unbound returns it without the AD bit. This is more then insecure, this
is "tampered with".

What is the reasoning behind this decision with unbound?

Isn't harden-dnssec-stripped supposed to toggle this?

Could we have an option that would ServFail data from confirmed scrubbed packets?