Greetings,
On Mon, 17 Jun 2024 19:08:22 +0100,
J Carter wrote:
>
> It's caused by DNS Cache poisoning (either intentionally, or
> unintentionally), from a recursive resolver that caches CD bit but
> does not zero it if a non dns-sec query hits that cached response.
>
> I see unbound also has
Hello,
On Mon, 17 Jun 2024 10:22:24 +0100
Kirill A. Korinsky wrote:
> On Mon, 17 Jun 2024 00:21:27 +0100,
> J Carter wrote:
> >
> > Well *I* quite agree.
> >
> > I would also suggest that as DNS functionality in nginx is strictly
> > limited to resolving as client in quite a simplistic
On Mon, 17 Jun 2024 00:21:27 +0100,
J Carter wrote:
>
> Well *I* quite agree.
>
> I would also suggest that as DNS functionality in nginx is strictly
> limited to resolving as client in quite a simplistic fashion, and nginx
> does not support DNSSEC, it makes little sense to hyper-strict about
>
Hello,
On Sun, 16 Jun 2024 10:07:28 +0100
Kirill A. Korinsky wrote:
> On Sun, 16 Jun 2024 02:45:15 +0100,
> J Carter wrote:
> >
> > Sounds familiar :)
> >
> > https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html
>
> Unfortunately, the AD bit is set
On Sun, 16 Jun 2024 02:45:15 +0100,
J Carter wrote:
>
> Sounds familiar :)
>
> https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html
Unfortunately, the AD bit is set by the libunbound-based resolver when it is
configured to use an upstream forwarder
On Sun, 16 Jun 2024 04:29:51 +0300
Maxim Dounin wrote:
> Hello!
>
> On Sat, Jun 15, 2024 at 12:02:28PM +0100, Kirill A. Korinsky wrote:
>
> > Greetings,
> >
> > Here a trivial patch which allows DNS responses with enabled AD bit
> > from used resolver.
> >
> > Index: src/core/ngx_resolver.c
Hello!
On Sat, Jun 15, 2024 at 12:02:28PM +0100, Kirill A. Korinsky wrote:
> Greetings,
>
> Here a trivial patch which allows DNS responses with enabled AD bit
> from used resolver.
>
> Index: src/core/ngx_resolver.c
> --- src/core/ngx_resolver.c.orig
> +++ src/core/ngx_resolver.c
> @@ -1774,7
Greetings,
Here a trivial patch which allows DNS responses with enabled AD bit
from used resolver.
Index: src/core/ngx_resolver.c
--- src/core/ngx_resolver.c.orig
+++ src/core/ngx_resolver.c
@@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha