Maintained by: NLnet Labs

Unbound does not honor forwarder DNSSEC verification?

la9k3
Tue Mar 1 15:22:20 CET 2016


I will try to patch unbound and see if setting the CD bit to 0 works,
seems like this could be the problem.

Doing my own verification is extremely slow (from 200ms to 4000ms for
a typical query).

Also it seems to me that the CD bit should be set to 0 if the query is
forwarded and the validator module is off, is there a reason why it is always 1?

Thanks!

To reproduce (if it still matters):
server:
	num-threads: 1
	
	cache-min-ttl: 60
	access-control: 127.0.0.1 allow
	interface: 127.0.0.1
	port: 53
	
	chroot: "/etc/unbound"
	username: "unbound"
	
	logfile: "unbound.log"
	module-config: "iterator"
	
	forward-zone:
		name: "."
		forward-addr:8.8.8.8

dig www.dnssec-failed.org (works)
dig @8.8.8.8 www.dnssec-failed.org (servfail)

I'm using version 1.5.1

On Tue, Mar 01, 2016 at 09:16:33PM +0900, Daisuke HIGASHI wrote:
> The issue may not related to bug #681.
> 
> Unbound always forwards query with CD=1 to forwarder,
> so Unbound doesn't honor forwarder DNSSEC verification (I forgot it!)
> 
> So if you disabled DNSSEC validation you will get "insecure" answer.
> If you want SERVFAIL for www.dnssec-failed.org  you have to enable
> DNSSEC validation.
> 
> 
> 2016-03-01 20:47 GMT+09:00 Daisuke HIGASHI <daisuke.higashi at gmail.com>:
> > Hi,
> >
> > Please show us "how to repeat" such as your unbound configuration
> > or procedure to see the problem...
> >
> > Possible bug (feature?) concern the issue is [1].
> >
> > In Unbound-1.5.4 and older, "unbound-control forward_add . 8.8.8.8"
> > adds forwarder with "forward-first: yes"
> > It makes Unbound to retry recursion by itself if 8.8.8.8 returns SERVFAIL.
> >
> > [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=681
> >
> >
> > 2016-03-01 12:12 GMT+09:00 la9k3 via Unbound-users <unbound-users at unbound.net>:
> >> Hi, I have been looking online for some time try to fix this problem, hopefully
> >> this is the right last resort place.
> >>
> >> Is there a way to make unbound honor my forwarder's dnssec validation?
> >>
> >> For example, I use unbound as a caching forwarder and have "." set as a
> >> forwarding zone that forwards everything to Google's public DNS
> >> (8.8.8.8).
> >>
> >> However, when I test dnssec, I get a valid reply from servers such
> >> as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
> >> my normal resolver, in which case I get a SERVFAIL response.
> >>
> >> Is this possible? I have trouble understanding why unbound would give a
> >> valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
> >> empty answer.
> >>
> >> Thanks