Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Tony Finch
Sun Feb 8 23:48:45 CET 2015

Viktor Dukhovni <ietf-dane at> wrote:
> I think this is another good reason to stop using DLV.

This is not just a DLV problem: it can occur for any validator which has
trust anchors for parts of the namespace for which its upstream recursive
server does not.

> If unbound is updated to drop unsigned authority RRsets, care should
> be taken to not drop unsigned SOA RRs.  From some nameservers I've
> seen replies with signed NSEC/NSEC3 records, and an unsigned SOA.
> Unbound correctly designates these as bogus.

Bogosity should be per-RRset not per-answer. (Though in the case of
nonexistent RRsets you may need multiple NSEC/NSEC3 RRsets to prove
nonexistence; in that case bogosity applies to the each RRset individually
and to the proof as a whole. If there is other gubbins in the answer that
does not affect your ability to demonstrate you got a good answer to the
question you asked.)

f.anthony.n.finch  <dot at>
Humber, Thames: Northwesterly 4 or 5, occasionally 6 in east. Moderate,
occasionally rough in east. Mainly fair. Moderate or good.