Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Havard Eidnes
Thu Mar 3 12:05:20 CET 2016

>> Come to think of it, anything you get from a recursive resolver are
>> possibly cached hints, including what you get in the Answer section.
> It isn't quite that bad due to the RFC 2181 trustworthiness ranking.

Mm, yes, but that predates DNSSEC (no?) and especially if the
local resolver wants to do its own DNSSEC validation, it can't
really in that context lend more credence to information received
in one section over another.  Especially if the information is
received over an unsecured channel (which it typically will be).

>> > Does Unbound use CD=1 when forwarding? If so, it should expect to receive
>> > partially bogus answers and should handle them gracefully.
>> Yep, as Olav replied, and the pcaps I capture on the BIND recursor
>> agrees: CD=1 is set in the forwarded queries.
> CD=1 is the wrong thing when querying a forwarder. When a
> domain is partly broken, queries that work with CD=0 can be
> forced to fail with CD=1.

Relly?  I interpreted the use of CD=1 as "I want to do my own
DNSSEC validation, and therefore don't want or need the
validation service which could be provided by the forwarder",
especially as noted above when the communication isn't secured.
It should not make much of a difference wrt. the validity of the
end result whether the forwarder or the unbound resolver does the
DNSSEC validation?


- Håvard