From ibc at aliax.net  Fri May  3 16:40:40 2013
From: ibc at aliax.net (=?UTF-8?Q?I=C3=B1aki_Baz_Castillo?=)
Date: Fri, 3 May 2013 14:40:40 +0200
Subject: Should DNSSEC work using udns + unbound with DNSSEC ?
Message-ID: <CALiegfmZGufDg3-ws+aMZw+mh99u-wovxxC8oxZKdzdraw8qmw@mail.gmail.com>

Hi, I've configured DNSSEC in unbound. If my udns client sends DNS
queries to this unbound, should DNSSEC work out of the box?

I assume "yes" but would like to confirm :)

Thanks a lot.

--
I?aki Baz Castillo
<ibc at aliax.net>

From mjt at tls.msk.ru  Fri May  3 17:20:57 2013
From: mjt at tls.msk.ru (Michael Tokarev)
Date: Fri, 03 May 2013 17:20:57 +0400
Subject: Should DNSSEC work using udns + unbound with DNSSEC ?
In-Reply-To: <CALiegfmZGufDg3-ws+aMZw+mh99u-wovxxC8oxZKdzdraw8qmw@mail.gmail.com>
References: <CALiegfmZGufDg3-ws+aMZw+mh99u-wovxxC8oxZKdzdraw8qmw@mail.gmail.com>
Message-ID: <5183B9B9.1060107@msgid.tls.msk.ru>

03.05.2013 16:40, I?aki Baz Castillo wrote:
> Hi, I've configured DNSSEC in unbound. If my udns client sends DNS
> queries to this unbound, should DNSSEC work out of the box?

Yes it works.  But it does not do validation itself, it relies on the
actual (recursive) nameserver to do so.

The only thing needed on the (dumb) client side is to ask set appropriate
bit on the query, -- telling that the recursive resolver should do DNSSEC
validation.  This can be enabled on per-query basis and per-invocation basis,
using query flags.  The client should also verify that the answer has the
appropriate bit (AD) set too, -- but this is _not_ done by the library,
because application may handle this situation differently.

dnsget utility has -o dnssec option for that.  It does not verify the presence
of the AD bit, it just prints out the result received from the nameserver.

Regards,

/mjt

From ibc at aliax.net  Fri May  3 18:08:42 2013
From: ibc at aliax.net (=?UTF-8?Q?I=C3=B1aki_Baz_Castillo?=)
Date: Fri, 3 May 2013 16:08:42 +0200
Subject: Should DNSSEC work using udns + unbound with DNSSEC ?
In-Reply-To: <5183B9B9.1060107@msgid.tls.msk.ru>
References: <CALiegfmZGufDg3-ws+aMZw+mh99u-wovxxC8oxZKdzdraw8qmw@mail.gmail.com>
 <5183B9B9.1060107@msgid.tls.msk.ru>
Message-ID: <CALiegf=34WJ64=ky8rLkwn+qBkXrdM+vEz2sR8nk6t8W6wOKHQ@mail.gmail.com>

2013/5/3 Michael Tokarev <mjt at tls.msk.ru>:
> 03.05.2013 16:40, I?aki Baz Castillo wrote:
>> Hi, I've configured DNSSEC in unbound. If my udns client sends DNS
>> queries to this unbound, should DNSSEC work out of the box?
>
> Yes it works.  But it does not do validation itself, it relies on the
> actual (recursive) nameserver to do so.

Yep, sure.


> The only thing needed on the (dumb) client side is to ask set appropriate
> bit on the query, -- telling that the recursive resolver should do DNSSEC
> validation.  This can be enabled on per-query basis and per-invocation basis,
> using query flags.  The client should also verify that the answer has the
> appropriate bit (AD) set too, -- but this is _not_ done by the library,
> because application may handle this situation differently.
>
> dnsget utility has -o dnssec option for that.  It does not verify the presence
> of the AD bit, it just prints out the result received from the nameserver.

Wow!, in my case I just enabled DNSSEC in Unbound and then tested my
udns based client, and it works out of the box (this is, I query for a
DNSSEC-invalid domain "badsign-A.test.dnssec-tools.org" and I get
"dns_error_tempfail" from Unbound, without enabling such a flag.

Maybe Unbound forces DNSSEC regardless such a flag is not present in
the client query?


Thanks a lot.


--
I?aki Baz Castillo
<ibc at aliax.net>