Maintained by: NLnet Labs

[Unbound-users] bogus resolution with forwarding and DLV

Jaap Akkerhuis
Mon Feb 9 01:55:27 CET 2015


 Viktor Dukhovni writes:

 > On Sat, Feb 07, 2015 at 04:24:33PM +0100, Jan V?el?k wrote:
 > 
 > > The BIND developers claim, that the behavior of BIND is correct.
 > > 
 > > The upstream resolver (BIND) has DLV disabled and therefore uses
 > > a subset of trust anchors my local resolver (Unbound) uses. And the zone
 > > is insecure from the BIND's point of view.
 > > 
 > > Ignoring the fact, that BIND adds NS records into authority from no
 > > reason, omitting the NS RRSIGs is probably justifiable.
 > 
 > I think this is another good reason to stop using DLV.

Apparenlty there are plans to do so. There will be a talk about it
at ICANN-52 (See
<http://singapore52.icann.org/en/schedule/mon-tech/agenda-ccnso-tech-09feb15-en.pdf>.)

	jaap