Hi. I am trying to get unbound to work in a particular captive environment that provides it's own resolvers. For numerous reasons I want to run my own resolver (using unbound of course) and have it query the captive environment's resolvers.
The problem I seem to be running into though is that the captive environment's resolvers don't seem to answer queries that include the additional OPT RR that specifies that DNSSEC RRs are accepted. I.e. in the below decode of a query packet from Wireshark: Domain Name System (query) Transaction ID: 0xd1ba Flags: 0x0100 Standard query Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries detectportal.firefox.com: type A, class IN Name: detectportal.firefox.com [Name Length: 24] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 1232 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 0 That Additional records->OPT seems to be the difference between queries that the environment's resolvers will ignore and ones that it will answer. I have already tried disabling DNSSEC validation with: module-config: "iterator" but that doesn't seem to suppress that Additional RR in the query. I don't know a whole ton about DNSSEC but it seems useless to tell the server that you are querying that you accept DNSSEC RRs if you are not going to validate, so I was hopeful that removing the validator module would achieve removing the Additional RR but it seems it does not. Is there any other way at all to have unbound stop sending that Additional RR so that I can at least validate my theory? Well, and leave it disabled if my theory proves out. :-) Cheers, b.