Re: TCP fallback on timeout

Havard Eidnes via Unbound-users wrote: >> Unfortunately, DNS servers aren't required to support TCP. > > IMHO, that is an all too commonly held misconception. Publishing name > servers need to support TCP as well. I'm pretty sure section 4.2 of > RFC 1035 mandates it. It doesn't use the

Re: TCP fallback on timeout

> Unfortunately, DNS servers aren't required to support TCP. IMHO, that is an all too commonly held misconception. Publishing name servers need to support TCP as well. I'm pretty sure section 4.2 of RFC 1035 mandates it. It doesn't use the formal requirements keywords because it predates the

Re: Trust rules and DNSSEC signatures

Florian Weimer via Unbound-users wrote: > Does Unbound use otherwise non-trustworthy data simply because it has > valid DNSSEC signatures? > > I'm asking because of this recent dnsop thread: > > Hi, Florian: It's been

Re: TCP fallback on timeout

On 04/27/2017 07:27 AM, Viktor Dukhovni via Unbound-users wrote: > On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote: > >> I'm trying to understand Unbound's TCP fallback better. Is it expected >> that Unbound will fall back to TCP when UDP queries timeout, or only if >> it

Re: Trust rules and DNSSEC signatures

* Paul Wouters: >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users >> wrote: >> >> Does Unbound use otherwise non-trustworthy data simply because it has >> valid DNSSEC signatures? >> > > How can data be signed and validated and also "non-trustworthy" ?

Re: TCP fallback on timeout

On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote: > I'm trying to understand Unbound's TCP fallback better. Is it expected > that Unbound will fall back to TCP when UDP queries timeout, or only if > it receives a truncated ANSWER? Only when truncated as you observed. >

Trust rules and DNSSEC signatures

Does Unbound use otherwise non-trustworthy data simply because it has valid DNSSEC signatures? I'm asking because of this recent dnsop thread: