-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul,
On 01/07/2011 05:53 PM, Paul Wouters wrote: > > Hi, > > I was recently at the SFO airport, and ran into a DNS server on their free > wifi that does DNSSEC stripping. Or at least, it knows about dnssec related > RRTYPE's (DNSKEY, etc) but does not serve RRSIG's when requesting dnssec > with > the DO bit. It should servfail. > In my case, I had unbound running and configured it to use the dhcp > supplied > forwarder using: unbound-control forward 1.2.3.4 But that statement leaves the cache intact, where a previously validated (at home or the office) RR may reside. > It was just primed with the root key. There is a trust path from the > root all > the way down to xelerance.org. However, unbound gave me the IP without me > specifying the CD bit. It logged: > > unbound: [23014:0] info: incoming scrubbed packet: ;; If you start logging it should log lots more than that. If you get there again, it could be helpful to clear the cache and then try with logging enabled. I think you had a valid entry in the cache, that was returned, without actually sending queries at SFO. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk0nV0UACgkQkDLqNwOhpPi3vQCdF2Igbd20iF6a5uMbQpke4Yp2 F/EAoJNqzC2q+t+j6/2IBx7CunY8/dux =ZdQB -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
