message is bogus, non secure rrset with Unbound as local caching resolver
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Thu Mar 3 08:43:50 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Havard,
On 03/03/16 09:30, Havard Eidnes wrote:
>>> A couple of responses to an 'a' query for this name follows
>>> attached below. In both cases you'll see the Authority section
>>> contains the NS RRSET but not the RRSIG covering the NS RRSET,
>>> something we're not quite sure is "right" (but have not yet
>>> found the scripture on), and which Olav suspects is triggering
>>> Unbound to be unhappy about the response.
>>
>> The "right" thing is to have RRSIGs for all elements of the
>> answer and authority sections. This is mandated by RFC4034,
>> 4035.
>
> Following the "not a bug" response from the BIND maintainers
> yesterday evening, can you please point to chapter and verse
> mandating this behaviour for non-authoritative recursive
> resolvers?
RFC4035 3.2.3 for validators, all RRsets in answer and authority
sections should be authentic ...
https://tools.ietf.org/html/rfc4035#section-3.2.3
>
> The closest I've been able to find is section 3.1.1 in RFC 4035,
> and that section only applies to authoritative name servers.
Yes and I had not counted on getting a partial referral mixed into
another reply from a forwarder.
Best regards, Wouter
>
> In the absence of any forwarding configuration, unbound always
> expects to speak with authoritative name servers, and then it makes
> sense to enforce the text from 3.1.1. However, when it uses
> forwarding it will send all its requests via one or more
> non-authoritative recursive resolvers, and then insisting on RRSig
> on all RRsets in the authoritative section no longer makes sense.
> Instead, unbound should adhere to the rule "if you need a specific
> RRset (that you've not already been given) to proceed, you had
> better ask for it explicitly".
>
> Therefore, in the absence of any contradictory quote from the
> standards, I conclude that the current behaviour of unbound in a
> forwarding setup is a bug in unbound.
>
> Best regards,
>
> - Håvard
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW1/lAAAoJEJ9vHC1+BF+NRUwP/A35eRI+/FxrXGJZUwfyx4QC
Ozt8pDiQ3h1ik5YLXoU85JeKOTyj7lhmdzCNvw/yzfFLSmon3F5URHor8KKGnbWn
k2mZU9Rgh+JlR1k3Dcwl9ayOtBr/1VF/lJh4tXXxgEWgUxLT7jacAGdDq0fZKlGz
42t3l+biIbUKK2oQq15/ytfZSQD6yBGndqgJjDDhEP11Kfv0QazPKGDGRyPcWe9R
XbqToc5qm7F7bl4Q8dXscGt4kQvHz6vCNAtikZHUAd1gHduQ8Bz9sKJv5LunjRFl
NXOCgRZpH81LbGzcMdzzt4tN9kEbwwxzFo1lb9s9ocsVpxs0j4AKa1D5DMU747zN
y8V0lekSz4SEu6++krdmykWIyvLc94lHudbWwvdxqqWkTuFE/g9mhMjvdQbISl9n
xlJEOP/5mFoEIZXH9x2tfH6uM/JQzQxQ1mbbQQoxY3rvy3yfDYx20iGPThmjjfnt
jIjmaGGQR0OXI5M9bSbGC1J99OLO/xNgjw5QvCAij1Y8Go870N/eyxw81cfyFZvV
QCU6lLUJKGIrexFQAGf6GxeexMFte2ZeSUyy1SR2ufP0+7pYUeUpMN01Bxswjglh
IdftX+PrPjsAChTmwZFm3r/OPPKv9ByVZKYlZQNwDujvgHdlPzQbj8KKHLlyyiGu
AEJYnq60g0PUmi+W6e3B
=1MWD
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list