Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

Michael Ströder Fri, 24 Apr 2015 12:42:14 -0700

Michael Ströder wrote:

We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
retrieved through a pdns-recursor (also tested 3.7.2).


It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype ANY).
    (Explicitly requesting RRSIG works.)

=> validation in libunbound fails

Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this:


http://www.unbound.net/documentation/pyunbound/examples/example4.html

Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit:


1... .... .... .... = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not.


I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs.


Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

Reply via email to