Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Olav Morken
Thu Mar 3 09:11:36 CET 2016


On Thu, Mar 03, 2016 at 08:58:02 +0100, Olav Morken wrote:
> On Wed, Mar 02, 2016 at 16:58:38 +0000, Tony Finch wrote:
> > Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> > partially bogus answers and should handle them gracefully.
> 
> I checked, and it does set the CD-flag.

I forgot to mention this, but I also did a quick test where I patched[1] 
of Unbound to not set the CD-flag in its queries, and at that point DNS 
resolution worked. Checking packet captures shows that BIND does not 
include the NS-records in that case.

[1] https://gist.github.com/olavmrk/f9e9c68ec2932e026b4e

Best regards,
Olav Morken
UNINETT