Re: message is bogus, non secure rrset with Unbound as local caching resolver

2016-03-19 Thread W.C.A. Wijngaards via Unbound-users
Hi, On 04/03/16 11:39, Havard Eidnes wrote: >>> Following the "not a bug" response from the BIND maintainers >>> yesterday evening, can you please point to chapter and verse >>> mandating this behaviour for non-authoritative recursive >>> resolvers? >> >> RFC4035 3.2.3 for validators, all RRset

Re: L-Root IPv6 address renumbering

2016-03-19 Thread Robert Edmonds via Unbound-users
W.C.A. Wijngaards via Unbound-users wrote: > The sysadmin edits the root.hints file? The unbound.conf file is just > pointing to the root.hints file. I don't really see sysadmins editing > the root.hints file. Only very sporadic, perhaps, updating it > themselves. But then they have to keep doi

Re: L-Root IPv6 address renumbering

2016-03-19 Thread Dave Warren via Unbound-users
On 2016-03-16 10:46, Robert Edmonds via Unbound-users wrote: Not quite, I want to avoid two things: 1) The sysadmin should never have to update the root hints by hand. "apt update && apt upgrade" should upgrade any packages needed to bring the root hints up to date. 2) The package maintainers s

Re: L-Root IPv6 address renumbering

2016-03-19 Thread Robert Edmonds via Unbound-users
Dave Warren via Unbound-users wrote: > On 2016-03-16 10:46, Robert Edmonds via Unbound-users wrote: > >Not quite, I want to avoid two things: > > > >1) The sysadmin should never have to update the root hints by hand. > >"apt update && apt upgrade" should upgrade any packages needed to bring > >the

Re: message is bogus, non secure rrset with Unbound as local caching resolver

2016-03-19 Thread Olav Morken via Unbound-users
On 2016-03-17 15:19, W.C.A. Wijngaards via Unbound-users wrote: I fixed it so that Unbound uses CD=0 to send queries to a forwarder. Unless a dnssec trust anchor exists above the qname, in which case CD=0 is only attempted on the first query. Hi, I did a quick test here, and can confirm that t

Re: message is bogus, non secure rrset with Unbound as local caching resolver

2016-03-19 Thread Havard Eidnes via Unbound-users
> But unbound is trying to set the AD flag in its reply. And thus it > needs all the RRsets to be secure. Thus, the reply from the forwarder > with CD flag becomes bogus. Yes, I know unbound is trying to validate the answer. However, insisting that a recursor return all pertinent data required

Re: L-Root IPv6 address renumbering

2016-03-19 Thread Dave Warren via Unbound-users
On 2016-03-16 14:06, Robert Edmonds via Unbound-users wrote: Dave Warren via Unbound-users wrote: On 2016-03-16 10:46, Robert Edmonds via Unbound-users wrote: Not quite, I want to avoid two things: 1) The sysadmin should never have to update the root hints by hand. "apt update && apt upgrade"

Re: L-Root IPv6 address renumbering

2016-03-19 Thread Robert Edmonds via Unbound-users
W.C.A. Wijngaards via Unbound-users wrote: > But I think just setting the configuration option for root-hints in > unbound.conf is probably just what you want? Do you still need to be > able to set a default value for the root-hints file location, or is it > just as good to set it in unbound.conf