Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Havard Eidnes
Thu Mar 17 18:23:23 CET 2016


> But unbound is trying to set the AD flag in its reply.  And thus it
> needs all the RRsets to be secure.  Thus, the reply from the forwarder
> with CD flag becomes bogus.

Yes, I know unbound is trying to validate the answer.  However,
insisting that a recursor return all pertinent data required for
validation of the response, especially with cd=1 set in the query,
is unreasonable.

> I fixed it so that Unbound uses CD=0 to send queries to a forwarder.
> Unless a dnssec trust anchor exists above the qname, in which case CD=0
> is only attempted on the first query.

Not sure I understand what it means to have a "trust anchor exist
above the qname", but otherwise I suspect and hope this will cure
the problem.

> CD flag is still used on all queries to authorities.

Of course.

Regards,

- Håvard