Maintained by: NLnet Labs

[Unbound-users] Forward first behavior when validation fails

Ondřej Caletka
Mon Jul 16 13:40:09 CEST 2012


It would be nice if the new „forward-first“ option in unbound would be
able to switch over to direct query not only in case the forwarder does
not respond but also when the response is not correctly validated.

The problem is that I am using unbound locally on my laptop to ensure
all DNS traffic is validated. It works great when unbound is doing all
the recursion. But it is quite inelegant solution with low scalability.

But when I set up forwarding "." zone to DHCP-assigned DNS forwarders,
it often starts to behave strange. Not only that some old DNS forwarders
strips DNSSEC data rendering trust anchor invalid, there is also a
problem with forwarding wildcard DNS querys to BIND 9.7 or 9.8.

I have set up a test page, showing your DNSSEC validator status,
fell free to test your resolver setup:

It would be nice if unbound would be able to fallback to direct
recursion if forwarded data fails to validate. Using external solution
like dnssec-trigger cannot solve the problem well, since there are so
many affected resolvers out there, so dnnsec-trigger would fall back to
some tunneling setup virtally all the time. Using proper forward-first,
it would be possible to use (even broken) forwarders most of the time,
and switch to „full recursion mode“ only in case validation fails.

Ondřej Caletka