Re: message is bogus, non secure rrset with Unbound as local caching resolver

On 2016-03-17 15:19, W.C.A. Wijngaards via Unbound-users wrote: I fixed it so that Unbound uses CD=0 to send queries to a forwarder. Unless a dnssec trust anchor exists above the qname, in which case CD=0 is only attempted on the first query. Hi, I did a quick test here, and can confirm that

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 21:14:56 +0100, W.C.A. Wijngaards via Unbound-users wrote: > However, I think it is not unreasonable to extend the compatibility > code in Unbound for this. The error that Olav quotes is simply > Unbound enforcing that 'all RRsets MUST validate' rule, telling you > which

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Thu, Mar 03, 2016 at 08:58:02 +0100, Olav Morken wrote: > On Wed, Mar 02, 2016 at 16:58:38 +, Tony Finch wrote: > > Does Unbound use CD=1 when forwarding? If so, it should expect to receive > > partially bogus answers and should handle them gracefully. > > I checked, and it does set the

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 16:42:01 +0100, Olav Morken wrote: > On Wed, Mar 02, 2016 at 08:45:11 -0500, Casey Deccio wrote: > > On Wed, Mar 2, 2016 at 6:39 AM, Olav Morken via Unbound-users < > > unbound-users@unbound.net> wrote: > > > > > sorry for the rath

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 16:58:38 +, Tony Finch wrote: > Olav Morken via Unbound-users <unbound-users@unbound.net> wrote: > > > > info: validate(cname): sec_status_secure > > info: validate(positive): sec_status_secure > > info: message is bogus

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 10:47:13 -0500, Paul Wouters wrote: > On Wed, 2 Mar 2016, Olav Morken via Unbound-users wrote: > > >Unfortunately, the BIND server only tends to return responses where the > >authority-section has NS-records but no RRSIG-record during the night. &

Re: message is bogus, non secure rrset with Unbound as local caching resolver

On Wed, Mar 02, 2016 at 08:45:11 -0500, Casey Deccio wrote: > On Wed, Mar 2, 2016 at 6:39 AM, Olav Morken via Unbound-users < > unbound-users@unbound.net> wrote: > > > sorry for the rather longwinded email. In the interest of saving some > > time, here is a short

message is bogus, non secure rrset with Unbound as local caching resolver

Hi, sorry for the rather longwinded email. In the interest of saving some time, here is a short summary: We get the error "message is bogus, non secure rrset" from Unbound in some cases when resolving a wildcard CNAME record. The cause appears to be an upstream BIND resolver that in some