Should DNSSEC work using udns + unbound with DNSSEC ?
Iñaki Baz Castillo
ibc at aliax.net
Fri May 3 18:08:42 MSK 2013
2013/5/3 Michael Tokarev <mjt at tls.msk.ru>:
> 03.05.2013 16:40, Iñaki Baz Castillo wrote:
>> Hi, I've configured DNSSEC in unbound. If my udns client sends DNS
>> queries to this unbound, should DNSSEC work out of the box?
>
> Yes it works. But it does not do validation itself, it relies on the
> actual (recursive) nameserver to do so.
Yep, sure.
> The only thing needed on the (dumb) client side is to ask set appropriate
> bit on the query, -- telling that the recursive resolver should do DNSSEC
> validation. This can be enabled on per-query basis and per-invocation basis,
> using query flags. The client should also verify that the answer has the
> appropriate bit (AD) set too, -- but this is _not_ done by the library,
> because application may handle this situation differently.
>
> dnsget utility has -o dnssec option for that. It does not verify the presence
> of the AD bit, it just prints out the result received from the nameserver.
Wow!, in my case I just enabled DNSSEC in Unbound and then tested my
udns based client, and it works out of the box (this is, I query for a
DNSSEC-invalid domain "badsign-A.test.dnssec-tools.org" and I get
"dns_error_tempfail" from Unbound, without enabling such a flag.
Maybe Unbound forces DNSSEC regardless such a flag is not present in
the client query?
Thanks a lot.
--
Iñaki Baz Castillo
<ibc at aliax.net>
More information about the udns
mailing list