Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Tony Finch
Thu Mar 3 11:49:23 CET 2016


Havard Eidnes <he at uninett.no> wrote:
>
> Come to think of it, anything you get from a recursive resolver are
> possibly cached hints, including what you get in the Answer section.

It isn't quite that bad due to the RFC 2181 trustworthiness ranking.

> > Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> > partially bogus answers and should handle them gracefully.
>
> Yep, as Olav replied, and the pcaps I capture on the BIND recursor
> agrees: CD=1 is set in the forwarded queries.

CD=1 is the wrong thing when querying a forwarder. When a domain is partly
broken, queries that work with CD=0 can be forced to fail with CD=1.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Fitzroy, Sole, Lundy, Fastnet: West or northwest 5 to 7, perhaps gale 8 later.
Moderate or rough in Lundy, otherwise rough or very rough, occasionally high
later except in Fastnet. Rain or thundery showers. Good, occasionally poor.