Hi,
I was recently at the SFO airport, and ran into a DNS server on their free wifi that does DNSSEC stripping. Or at least, it knows about dnssec related RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec with the DO bit. In my case, I had unbound running and configured it to use the dhcp supplied forwarder using: unbound-control forward 1.2.3.4 It was just primed with the root key. There is a trust path from the root all the way down to xelerance.org. However, unbound gave me the IP without me specifying the CD bit. It logged: unbound: [23014:0] info: incoming scrubbed packet: ;; I had harden-dnssec-stripped:yes I'm not very comfortable that applications receive this potentially forged data, even if unbound returns it without the AD bit. This is more then insecure, this is "tampered with". What is the reasoning behind this decision with unbound? Isn't harden-dnssec-stripped supposed to toggle this? Could we have an option that would ServFail data from confirmed scrubbed packets? Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
