Maintained by: NLnet Labs

[Unbound-users] How to disable DNSSEC validation

Tomas Hozza
Wed Dec 4 16:02:43 CET 2013



----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Tomas,
> 
> You can set permissive mode at runtime (val-permissive-mode: yes).
> Another way may be to edit the config file; and remove the trust
> anchors and reload it.

Setting val-permissive-mode to yes unsing unbound-control during
the runtime does not work.

root at thozza-pc /home/thozza
# dig @127.0.0.1 www.dnssec-failed.org

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-11.P2.fc19 <<>> @127.0.0.1 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 04 15:55:23 CET 2013
;; MSG SIZE  rcvd: 50

root at thozza-pc /home/thozza
# unbound-control get_option val-permissive-mode
no
root at thozza-pc /home/thozza
# unbound-control set_option val-permissive-mode: yes
ok
root at thozza-pc /home/thozza
# unbound-control flush_zone .
ok removed 209 rrsets, 214 messages and 10 key entries
root at thozza-pc /home/thozza
# dig @127.0.0.1 www.dnssec-failed.org

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-11.P2.fc19 <<>> @127.0.0.1 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47988
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.		IN	A

;; Query time: 3826 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 04 15:56:08 CET 2013
;; MSG SIZE  rcvd: 50

root at thozza-pc /home/thozza
# unbound-control get_option val-permissive-mode
yes

> (there is even documentation for this:
> http://unbound.net/documentation/howto_turnoff_dnssec.html )

I know, but the 'val-permissive-mode' is not listen in the
unbound-control man page as supported option when using
set_option command.

I guess there is no other way, but to change the unbound.conf
and reload the server.

Regards,

Tomas Hozza