Maintained by: NLnet Labs

Unbound does not honor forwarder DNSSEC verification?

Paul Wouters
Tue Mar 1 06:44:26 CET 2016


On Mon, 29 Feb 2016, la9k3 via Unbound-users wrote:

> Is there a way to make unbound honor my forwarder's dnssec validation?
>
> For example, I use unbound as a caching forwarder and have "." set as a
> forwarding zone that forwards everything to Google's public DNS
> (8.8.8.8).
>
> However, when I test dnssec, I get a valid reply from servers such
> as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
> my normal resolver, in which case I get a SERVFAIL response.

That works fo me:

paul at bofh:~$ sudo service unbound restart
Redirecting to /bin/systemctl restart  unbound.service
paul at bofh:~$ sudo unbound-control list_forwards
paul at bofh:~$ sudo unbound-control forward_add . 8.8.8.8
ok
paul at bofh:~$ cat /etc/resolv.conf 
# Generated by NetworkManager
search nohats.ca
nameserver 127.0.0.1
paul at bofh:~$ dig +dnssec www.dnssec-failed.org

; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> +dnssec
www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.		IN	A

;; Query time: 490 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 01 00:43:08 EST 2016
;; MSG SIZE  rcvd: 50

paul at bofh:~$