Maintained by: NLnet Labs

[Unbound-users] Unbound 1.5.0 release

Ondřej Caletka
Tue Nov 18 13:47:30 CET 2014


Hello,

Dne 18.11.2014 10:07, W.C.A. Wijngaards napsal(a):
> -   DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
> Initial commit of the patch from the FreeBSD base (with its fixes).
> This adds a module (for module-config in unbound.conf) dns64 that
> performs DNS64 processing, see README.DNS64.

Thank you, this is a long time anticipated feature. However, I'd like to
point out that the implementation is NOT compliant with RFC 6147 when it
comes to a query with CD and DO flags:

$ dig ipv4only.arpa aaaa @::1 +dnssec +cdflag +noadflag

; <<>> DiG 9.9.5 <<>> ipv4only.arpa aaaa @::1 +dnssec +cdflag +noadflag
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37682
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ipv4only.arpa.                 IN      AAAA

;; ANSWER SECTION: ** notice that synthetised records are present **
ipv4only.arpa.          86306   IN      AAAA    64:ff9b::c000:aa
ipv4only.arpa.          86306   IN      AAAA    64:ff9b::c000:ab

;; AUTHORITY SECTION: ** notice that NSEC records are not present **
ipv4only.arpa.          86306   IN      NS      a.iana-servers.net.
ipv4only.arpa.          86306   IN      NS      b.iana-servers.net.
ipv4only.arpa.          86306   IN      NS      ns.icann.org.
ipv4only.arpa.          86306   IN      NS      c.iana-servers.net.
ipv4only.arpa.          86306   IN      RRSIG   NS 8 2 86400
20141125110729 20141118093346 54055 ipv4only.arpa.
eAkkdnmWNJVRBGr62xlhwPYr3O8eTHoB+fwLJHy5PiAAAJj2Av/hJeb5
UjHMakk7nUriLZ0FNlZoP/XWDJbV0SNdjow3AXWrPsO42fVsMGT35Ira
Qx+FI3G7mrDBPKgL7jIAZ33DOcqFej9VDAagyvmXi8dknyT0qWkJ/ta2 aKE=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Út lis 18 13:35:41 CET 2014
;; MSG SIZE  rcvd: 361


That means the DNS64 module will break any attempt to do further DNSSEC
validation behind DNS64 resolver making endpoint DNSSEC validation
virtually impossible. I think this should be fixed before this module
gets any wider adoption.

Cheers,
Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20141118/0ab38de6/attachment.bin>