Re: Allow response with AD bit in resolver

2024-06-17 Thread Kirill A . Korinsky
Greetings, On Mon, 17 Jun 2024 19:08:22 +0100, J Carter wrote: > > It's caused by DNS Cache poisoning (either intentionally, or > unintentionally), from a recursive resolver that caches CD bit but > does not zero it if a non dns-sec query hits that cached response. > > I see unbound also has

Re: Allow response with AD bit in resolver

2024-06-17 Thread J Carter
Hello, On Mon, 17 Jun 2024 10:22:24 +0100 Kirill A. Korinsky wrote: > On Mon, 17 Jun 2024 00:21:27 +0100, > J Carter wrote: > > > > Well *I* quite agree. > > > > I would also suggest that as DNS functionality in nginx is strictly > > limited to resolving as client in quite a simplistic

Re: Allow response with AD bit in resolver

2024-06-17 Thread Kirill A . Korinsky
On Mon, 17 Jun 2024 00:21:27 +0100, J Carter wrote: > > Well *I* quite agree. > > I would also suggest that as DNS functionality in nginx is strictly > limited to resolving as client in quite a simplistic fashion, and nginx > does not support DNSSEC, it makes little sense to hyper-strict about >

Re: Allow response with AD bit in resolver

2024-06-16 Thread J Carter
Hello, On Sun, 16 Jun 2024 10:07:28 +0100 Kirill A. Korinsky wrote: > On Sun, 16 Jun 2024 02:45:15 +0100, > J Carter wrote: > > > > Sounds familiar :) > > > > https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html > > Unfortunately, the AD bit is set

Re: Allow response with AD bit in resolver

2024-06-16 Thread Kirill A . Korinsky
On Sun, 16 Jun 2024 02:45:15 +0100, J Carter wrote: > > Sounds familiar :) > > https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html Unfortunately, the AD bit is set by the libunbound-based resolver when it is configured to use an upstream forwarder

Re: Allow response with AD bit in resolver

2024-06-15 Thread J Carter
On Sun, 16 Jun 2024 04:29:51 +0300 Maxim Dounin wrote: > Hello! > > On Sat, Jun 15, 2024 at 12:02:28PM +0100, Kirill A. Korinsky wrote: > > > Greetings, > > > > Here a trivial patch which allows DNS responses with enabled AD bit > > from used resolver. > > > > Index: src/core/ngx_resolver.c

Re: Allow response with AD bit in resolver

2024-06-15 Thread Maxim Dounin
Hello! On Sat, Jun 15, 2024 at 12:02:28PM +0100, Kirill A. Korinsky wrote: > Greetings, > > Here a trivial patch which allows DNS responses with enabled AD bit > from used resolver. > > Index: src/core/ngx_resolver.c > --- src/core/ngx_resolver.c.orig > +++ src/core/ngx_resolver.c > @@ -1774,7

Allow response with AD bit in resolver

2024-06-15 Thread Kirill A . Korinsky
Greetings, Here a trivial patch which allows DNS responses with enabled AD bit from used resolver. Index: src/core/ngx_resolver.c --- src/core/ngx_resolver.c.orig +++ src/core/ngx_resolver.c @@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha