Maintained by: NLnet Labs

Unbound does not honor forwarder DNSSEC verification?

la9k3
Tue Mar 1 15:29:06 CET 2016


The same thing does not work for me, can you try the configuration I
provided in my previous email to Daisuke Higashi?

On Tue, Mar 01, 2016 at 12:44:26AM -0500, Paul Wouters wrote:
> On Mon, 29 Feb 2016, la9k3 via Unbound-users wrote:
> 
> > Is there a way to make unbound honor my forwarder's dnssec validation?
> >
> > For example, I use unbound as a caching forwarder and have "." set as a
> > forwarding zone that forwards everything to Google's public DNS
> > (8.8.8.8).
> >
> > However, when I test dnssec, I get a valid reply from servers such
> > as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
> > my normal resolver, in which case I get a SERVFAIL response.
> 
> That works fo me:
> 
> paul at bofh:~$ sudo service unbound restart
> Redirecting to /bin/systemctl restart  unbound.service
> paul at bofh:~$ sudo unbound-control list_forwards
> paul at bofh:~$ sudo unbound-control forward_add . 8.8.8.8
> ok
> paul at bofh:~$ cat /etc/resolv.conf 
> # Generated by NetworkManager
> search nohats.ca
> nameserver 127.0.0.1
> paul at bofh:~$ dig +dnssec www.dnssec-failed.org
> 
> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> +dnssec
> www.dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14945
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org.		IN	A
> 
> ;; Query time: 490 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Mar 01 00:43:08 EST 2016
> ;; MSG SIZE  rcvd: 50
> 
> paul at bofh:~$
>