Maintained by: NLnet Labs

[Unbound-users] unbound returning unvalidated responses briefly on startup?

W.C.A. Wijngaards
Mon Feb 3 09:43:32 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hoi Paul,

On 02/03/2014 08:10 AM, Paul Wouters wrote:
> On Mon, 3 Feb 2014, Andreas Schulze wrote:
> 
>>> service unbound start dig +dnssec nohats.ca
>> 
>> Paul,
>> 
>> I could not reproduce unvalidated answers using unbound-1.4.21 
>> Empty cache, first dig take 800ms. Second dig answered from
>> cache, 2 ms both have AD bit set.
> 
> Is that on a colocated machine? Or a slower DSL/cable modem box. I
> have a feeling it works fine on well-connected machines, but pops
> up on machines on slow/bad links.

Paul, can you replicate this with verbosity high (4 or 5)?  Unbound
should not do this (I am quick to point out, but it was obvious).
Something is wrong, obviously; could it be that you have two
nameservers and that your stub falls back to the second DNS server
(not this unbound) that does not perform validation?

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS71a0AAoJEJ9vHC1+BF+NqNMQAJvlYNdY8EerAJS96yyqoftI
LnlYlAOwGBVenO9IhG6zRIRFLP2d5fByYXIvZ3h0B4/+4U1tddTHXhyIDTcwaoEh
OjXFtCL1M6TxR6ikQ4wca2GYgut5yVzB6ZHJVirTiSJ+xhvLL/KwdE01jILQIfEl
rJxwdfzBkLtf2E9pqTRET9gv8DEFSdYF7YR1HoM+rMXcaDw1+mU0IQ+YtzkArO+M
7oFtSwMmxDvTG7NK1LkW6pdy7eLXepwxOmN8X7mV/qxPx9PxUHl4MRswa9xhKG7G
Y85q+TAvCAg4ArjZkOJRAOIAwLDIgjgBVCNeXjVOEGy5LumkrhzyvCkcSzQPGTad
w6HDmTGhTDoomN4+/Aj0F83G4aZgcmp55Gb684BOcglXlG5d9OPDLkhPG1FFFP62
8aAB7djRsFOlu0zH8knkXDOX7Uep9so2dVlEvTQcS72tGmeDu+gLdk0lOFRrhUVU
BYmBRNhhNDlvlTyIkw+EUeBFwls8LdJWGpcfOpYqo6KX9WSh0UwRCKwwf7YEtiJP
Lpc9pwyLPyA8XPocTrS6qDdsp7VrnMbYJdIHojHgrGXZwZzGpW5vDtuypg8kMD+8
HfMW88PqLMp3UndzLZNPezP8/lJooMclAzwIxtKe/5n4nuqgqE3TWUFVb45YOjBi
rWgmQr48EHcM367ftp9G
=jGdP
-----END PGP SIGNATURE-----