Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

W.C.A. Wijngaards
Fri Jan 7 19:11:18 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 01/07/2011 05:53 PM, Paul Wouters wrote:
> 
> Hi,
> 
> I was recently at the SFO airport, and ran into a DNS server on their free
> wifi that does DNSSEC stripping. Or at least, it knows about dnssec related
> RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec
> with
> the DO bit.

It should servfail.

> In my case, I had unbound running and configured it to use the dhcp
> supplied
> forwarder using: unbound-control forward 1.2.3.4

But that statement leaves the cache intact, where a previously validated
(at home or the office) RR may reside.

> It was just primed with the root key. There is a trust path from the
> root all
> the way down to xelerance.org. However, unbound gave me the IP without me
> specifying the CD bit. It logged:
> 
> unbound: [23014:0] info: incoming scrubbed packet: ;;

If you start logging it should log lots more than that.  If you get
there again, it could be helpful to clear the cache and then try with
logging enabled.

I think you had a valid entry in the cache, that was returned, without
actually sending queries at SFO.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nV0UACgkQkDLqNwOhpPi3vQCdF2Igbd20iF6a5uMbQpke4Yp2
F/EAoJNqzC2q+t+j6/2IBx7CunY8/dux
=ZdQB
-----END PGP SIGNATURE-----