Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Tony Finch
Wed Mar 2 17:58:38 CET 2016


Olav Morken via Unbound-users <unbound-users at unbound.net> wrote:
>
>   info: validate(cname): sec_status_secure
>   info: validate(positive): sec_status_secure
>   info: message is bogus, non secure rrset uninett.no. NS IN
>
> As far as I can tell, the problem here is caused by extra NS-records in
> the authority-section that do not include the RRSIG element for the
> NS-records, but I can't really say that for certain.

This sounds a lot like a problem we discussed last year. See
https://unbound.net/pipermail/unbound-users/2015-February/003757.html

As I said back then, I think it's wrong to discard the entire response if
parts of it are bogus. Unbound should keep the valid parts because it
knows there is nothing wrong with them.

Does Unbound use CD=1 when forwarding? If so, it should expect to receive
partially bogus answers and should handle them gracefully.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: North 4 or 5. Slight or moderate, occasionally rough later in
north. Occasional rain. Good, occasionally moderate.